By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2023-25194

Remote Code Execution
Affects
Apache Kafka
in
Spring
No items found.
Versions
>=2.3.0 <=3.3.2
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Kafka is a distributed streaming platform designed for building real-time data pipelines and event-driven applications at enterprise scale. It offers a high-throughput, fault-tolerant messaging system that enables applications to publish, store, and process continuous streams of records with low latency. 

A security vulnerability (CVE-2023-25194) has been identified in Apache Kafka, specifically affecting kafka-clients used within Kafka Connect, which allows authenticated operators to supply malicious SASL JAAS configurations when creating or modifying connectors. By setting a connector’s sasl.jaas.config to use com.sun.security.auth.module.JndiLoginModule, an attacker can cause the Kafka Connect worker to contact a rogue LDAP server and deserialize untrusted responses, potentially triggering harmful gadget chains on the server. This bypass of configuration safeguards can lead to unrestricted deserialization or remote code execution (RCE)  when vulnerable classes exist on the classpath.

Per OWASP: Insecure Deserialization occurs when applications deserialize untrusted data, allowing attackers to influence the execution flow of the system. Because many serialization frameworks can create objects, invoke code, or trigger class initializers during deserialization, a malicious payload can lead to severe consequences such as remote code execution, privilege escalation, or arbitrary internal state manipulation. Attackers may exploit this by submitting crafted serialized objects that cause the application to instantiate dangerous classes or execute unexpected logic. When vulnerable libraries or gadget chains are present, insecure deserialization can compromise the entire application or underlying server.

This issue affects multiple versions of Apache Kafka kafka-clients.

Details

Module Info

Vulnerability Info

This high-severity vulnerability is found in the kafka-client package in all published versions of Apache Kafka.

By setting a connector’s sasl.jaas.config to use com.sun.security.auth.module.JndiLoginModule, an attacker can cause the Kafka Connect worker to contact a rogue LDAP server and deserialize untrusted responses

Steps To Reproduce

Unit tests were added to reproduce this issue apache/kafka@ae22ec1

Proof Of Concept

When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the sasl.jaas.config property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or 

admin.override.sasl.jaas.config properties.

This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attackers can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.

Mitigation

Only recent versions of Apache Kafka are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Apache Kafka
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2023-25194
PROJECT Affected
Apache Kafka
Versions Affected
>=2.3.0 <=3.3.2
Published date
December 16, 2025
≈ Fix date
November 15, 2025
Fixed in
NES for Spring
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Remote Code Execution
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.