CVE-2025-27819
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-10

Last updated on: 2025-07-11

Assigner: Apache Software Foundation

Description
In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-10
Last Modified
2025-07-11
Generated
2026-05-07
AI Q&A
2025-06-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-27819
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache kafka From 2.0.0 (inc) to 3.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-27819 is a vulnerability in Apache Kafka brokers related to the SASL JAAS JndiLoginModule configuration. An attacker who can connect to the Kafka cluster and has AlterConfigs permission can exploit this vulnerability. It allows the attacker to configure Kafka to connect to a malicious LDAP server, which can send crafted responses that trigger Java deserialization of untrusted data. This can lead to remote code execution or denial of service on the Kafka server. [1]


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely on the Kafka server or cause denial of service. This can compromise the integrity, availability, and security of your Kafka cluster, potentially leading to data breaches, service outages, or unauthorized control over your Kafka infrastructure. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves checking Kafka configurations for usage of vulnerable SASL JAAS login modules such as "com.sun.security.auth.module.JndiLoginModule" or "com.sun.security.auth.module.LdapLoginModule" in sasl.jaas.config properties. You can inspect Kafka Connect worker configurations and connector properties for overrides like producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config that specify these modules. Commands to detect this might include grepping configuration files or running Kafka Connect REST API queries to list connector configurations. For example, use: `grep -r 'JndiLoginModule' /path/to/kafka/config` or query connectors with `curl -s http://<connect-host>:8083/connectors/<connector-name>/config | grep sasl.jaas.config` to find risky settings. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Apache Kafka to version 3.9.1 or later, where the problematic login modules "com.sun.security.auth.module.JndiLoginModule" and "com.sun.security.auth.module.LdapLoginModule" are disabled by default. Additionally, you can set the system property `-Dorg.apache.kafka.disallowed.login.modules` to explicitly disable these login modules in SASL JAAS configurations. Restricting AlterConfigs permissions on the Kafka cluster resource to trusted users also reduces risk. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart