By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-27817

Server-Side Request Forgery
Affects
Apache Kafka
in
Spring
No items found.
Versions
>=3.1.0 <3.9.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Kafka is a distributed streaming platform designed for building real-time data pipelines and event-driven applications at enterprise scale. It offers a high-throughput, fault-tolerant messaging system that enables applications to publish, store, and process continuous streams of records with low latency. 

A security vulnerability (CVE-2025-27817) has been identified in Apache Kafka, affecting kafka-clients and posing heightened risk in Kafka Connect deployments where configuration values may originate from untrusted sources. Because Kafka Clients allow OAuth-based SASL settings such as sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url to be supplied through client or connector configuration, an attacker with that ability can exploit these fields to trigger arbitrary file reads or SSRF, potentially escalating limited REST API access into unintended filesystem, environment-variable, or outbound network access.

Per OWASP: Server-Side Request Forgery (SSRF) occurs when an application lets user-controlled input influence outbound network requests, allowing attackers to make the server contact unintended internal or external resources. By manipulating URLs or request parameters, an attacker can access sensitive internal services, retrieve protected data, or pivot deeper into the environment. Without strict validation or allow-listing, SSRF can bypass network controls and lead to significant compromise.

This issue affects multiple versions of Apache Kafka kafka-clients.

Details

Module Info

Vulnerability Info

This high-severity vulnerability is found in the kafka-client package in all published versions of Apache Kafka.

Apache Kafka Clients accept configuration data for establishing SASL/OAUTHBEARER connections, including fields such as sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url, which can influence how the client retrieves tokens or key material. Because these settings may reference local files or remote URLs, Kafka Clients can end up reading file contents into error logs or issuing outbound requests on behalf of the application. In deployments where untrusted parties can supply Kafka Client or connector configuration, attackers may exploit these fields to trigger arbitrary file reads, leak environment information, or perform SSRF to unintended destinations. In particular, this flaw can be used in Kafka Connect to escalate limited REST API access into filesystem, environment, or network access.

Steps To Reproduce

Configure a Kafka Client sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url with a rogue URL. 

Proof Of Concept

When Kafka attempts to obtain a token or JWKS from a rogue location, it will:

  • Read from the file system (if given a file://-style reference), and in error conditions may emit file contents into error logs.

  • Make outbound HTTP requests (SSRF), even to internal or restricted services.

Mitigation

Only recent versions of Apache Kafka are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Apache Kafka
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • VulTeam of ThreatBook

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-27817
PROJECT Affected
Apache Kafka
Versions Affected
>=3.1.0 <3.9.1
Published date
December 16, 2025
≈ Fix date
November 15, 2025
Fixed in
NES for Spring
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Server-Side Request Forgery
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.