CVE-2025-27818
Overview
Apache Kafka is an open-source distributed event-streaming platform used for high-throughput, fault-tolerant data pipelines, messaging, and stream processing. Its Java client library (kafka-clients) provides the producer, consumer, and admin APIs that applications use to communicate with a Kafka cluster.
A Remote Code Execution vulnerability (CVE-2025-27818) has been identified in the kafka-clients library, which allows an authenticated operator who can set a Kafka client's sasl.jaas.config to point the client at com.sun.security.auth.module.LdapLoginModule. When the client logs in, it connects to an attacker-controlled LDAP server and deserializes the response, enabling unsafe deserialization and potential code execution when deserialization gadgets are present on the classpath.
Per OWASP: Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process, taking data structured in some format and rebuilding it into an object. Data formats that allow the inclusion of object types can be abused to instantiate arbitrary classes and execute attacker-controlled code.
This issue affects multiple versions of Apache Kafka, from 2.3.0 up to but not including 3.9.1.
Details
Module Info
- Product: Apache Kafka
- Affected packages: org.apache.kafka:kafka-clients
- Affected versions: >=2.3.0 <3.9.1
- GitHub repository: https://github.com/apache/kafka
- Published packages: https://central.sonatype.com/artifact/org.apache.kafka/kafka-clients
- Package manager: Gradle
- Fixed in:
- OSS Apache Kafka: 3.9.1, 4.0.0
- NES for Apache Kafka 3.1.4
Vulnerability Info
This High-severity vulnerability is found in the kafka-clients package in multiple versions of Apache Kafka. The flaw stems from the way Kafka resolves SASL JAAS login modules: an authenticated principal who can supply a client's sasl.jaas.config can name com.sun.security.auth.module.LdapLoginModule as the login module and point its options at an attacker-controlled LDAP endpoint.
An attacker requires access to the cluster's AlterConfig API on the cluster resource, or access to a Kafka Connect worker, plus the ability to create or modify connectors with an arbitrary client SASL JAAS configuration and a SASL-based security protocol. Since Kafka 3.0.0, the producer.override., consumer.override., and admin.override.sasl.jaas.config properties are accepted in connector configurations on out-of-the-box Connect clusters; before 3.0.0, an administrator-configured connector client override policy is required to permit them.
When such a configuration is applied, the Kafka client attempts an LDAP bind against the attacker's server, the server returns a malicious response, and the client deserializes it. If a Java deserialization gadget is present on the server classpath, this results in remote code execution; otherwise the impact is unsafe deserialization and server-side request forgery to the LDAP endpoint. The fix adds com.sun.security.auth.module.LdapLoginModule to the default disallowed-login-module list so that the client rejects such configurations by default, extending the earlier defense that blocked com.sun.security.auth.module.JndiLoginModule.
This vulnerability has been present since Apache Kafka 2.3.0, when connector client configuration overrides were first introduced.
Mitigation
Only recent versions of Apache Kafka are community-supported. The affected 3.1.x line is End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for the 3.1.x line; NES for Apache Kafka is the remedy for that line.
Users of the affected components should apply one of the following mitigations:
- Upgrade Apache Kafka to a currently supported release that contains the fix, such as 3.9.1 or 4.0.0.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- 罗鑫 (Luo Xin) (finder)
- ra1lgun (finder)