CVE-2025-27817
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-07-11
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | kafka | From 3.1.0 (inc) to 3.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-27817 is a vulnerability in Apache Kafka Client versions 3.1.0 through 3.9.0 that allows attackers to read arbitrary files and perform Server-Side Request Forgery (SSRF) attacks. This happens because the Kafka Client accepts configuration parameters for SASL/OAUTHBEARER authentication, specifically "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url", which can be manipulated by untrusted parties. Attackers can exploit these parameters to cause the client to read and log arbitrary file contents or environment variables, or to send requests to unintended locations. This is especially dangerous in Apache Kafka Connect, where an attacker with REST API access can escalate privileges to access filesystem, environment variables, or arbitrary URLs. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information by reading arbitrary files and environment variables. It can also allow attackers to perform SSRF attacks, potentially accessing internal systems or services that are not intended to be reachable. In multi-tenant or SaaS environments, this can lead to privilege escalation and compromise of data or services, posing significant security risks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your Apache Kafka Client configurations include untrusted or unexpected values for 'sasl.oauthbearer.token.endpoint.url' and 'sasl.oauthbearer.jwks.endpoint.url'. You can inspect Kafka client configuration files or environment variables for these parameters. Additionally, monitor error logs for unexpected file contents being logged, which may indicate exploitation attempts. There are no specific commands provided in the resources, but you can use commands like 'grep' to search configuration files, e.g., 'grep -r sasl.oauthbearer.token.endpoint.url /path/to/kafka/config', and review logs with 'tail' or 'grep' for suspicious entries. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Apache Kafka Client to version 3.9.1 or later. For versions 4.0.0 and newer, explicitly set the system property '-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls' to a whitelist of allowed URLs in your SASL JAAS configuration to restrict OAuth bearer token and JWKS endpoint URLs. For version 3.9.1, although the property defaults to allowing all URLs, it is recommended to set it explicitly to limit allowed URLs. Also, ensure that untrusted parties cannot control Kafka Client configurations, especially in environments like Apache Kafka Connect. [1]