CVE-2025-27819

Remote Code Execution
Affects
Apache Kafka
in
NES for Apache Kafka
No items found.
Versions
>=2.0.0 <3.9.1

Overview

Apache Kafka is an open-source distributed event-streaming platform used for high-throughput, fault-tolerant data pipelines, messaging, and stream processing. Its Java client library (kafka-clients) provides the producer, consumer, and admin APIs that applications use to communicate with a Kafka cluster.

A Remote Code Execution vulnerability (CVE-2025-27819) has been identified in Apache Kafka, which allows an attacker who can connect to the cluster and holds the AlterConfigs permission on the cluster resource to set a SASL JAAS configuration that names a dangerous login module. When that configuration is parsed, the login module performs a JNDI/LDAP lookup against an attacker-controlled server, which can return a serialized Java object that is deserialized into remote code execution, or can hang or error out into a denial of service.

Per OWASP: Injection flaws, such as the deserialization of untrusted data, allow attackers to relay malicious data to an interpreter so that hostile content is executed or processed outside of its intended context.

This issue affects multiple versions of Apache Kafka, from 2.0.0 up to but not including 3.9.1.

Details

Module Info

Vulnerability Info

This High-severity vulnerability is a Deserialization of Untrusted Data flaw (CWE-502) in the SASL JAAS handling shared by the kafka-clients and broker code paths. Apache Kafka resolves the login modules named in a sasl.jaas.config value through org.apache.kafka.common.security.JaasContext, and prior to the fix the default deny-list did not block com.sun.security.auth.module.LdapLoginModule.

An attacker who can authenticate to the cluster and holds the AlterConfigs permission on the cluster resource can issue an AlterConfigs or IncrementalAlterConfigs request that points a SASL listener's JAAS configuration at LdapLoginModule (or, on older releases with no deny-list at all, JndiLoginModule) with an attacker-controlled JNDI/LDAP provider URL. When the broker loads that JAAS context, the login module reaches out to the attacker's server, which can return a serialized Java object that is deserialized into remote code execution, or can cause the broker to hang or fail for a denial of service. This is the same deserialization sink previously closed for JndiLoginModule in the Kafka Connect path; the fix extends the default deny-list to also reject LdapLoginModule on both client and broker contexts.

This vulnerability has been present since at least Apache Kafka 2.0.0.

Mitigation

Only recent versions of Apache Kafka are community-supported. The affected 3.1.x line is End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for the 3.1.x line; NES for Apache Kafka is the remedy for that line.

Users of the affected components should apply one of the following mitigations:

  • Upgrade Apache Kafka to a currently supported release that contains the fix, such as 3.9.1.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • No finder is publicly credited for this vulnerability.
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2025-27819
PROJECT Affected
Apache Kafka
Versions Affected
>=2.0.0 <3.9.1
NES Versions Affected
Published date
July 1, 2026
≈ Fix date
Category
Remote Code Execution
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Apache Kafka
Rss feed icon
Subscribe via RSS
or

By submitting the form I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.