CVE-2025-49127
BaseFortify
Publication date: 2025-06-06
Last updated on: 2025-06-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49127 is a high-severity remote code execution vulnerability in the kafbat UI, a web interface for managing Apache Kafka clusters. The flaw is due to unsafe deserialization when kafka-ui connects to a malicious JMX (Java Management Extensions) server configured by an attacker through the Kafka cluster's metrics settings. An unauthenticated attacker can exploit this by setting a malicious JMX server address, causing kafka-ui to deserialize untrusted data and execute arbitrary code on the server. This vulnerability affects version 1.0.0 and is fixed in version 1.1.0. [1]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the kafka-ui server remotely, potentially leading to full system compromise of the host running kafka-ui. This means the attacker can take control of the server, manipulate data, disrupt services, or use the compromised server as a foothold for further attacks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring kafka-ui configurations for any Kafka clusters with metrics type set to JMX that point to suspicious or untrusted JMX server addresses. Specifically, look for Kafka clusters configured with environment variables like KAFKA_ADVERTISED_LISTENERS containing JMX URLs (e.g., jmx:rmi:///jndi/rmi://<ip>:<port>/jmxrmi). Additionally, inspecting network connections from the kafka-ui server to external JMX endpoints can help detect exploitation attempts. Commands to assist detection include: 1) Checking kafka-ui cluster configurations via API or config files for JMX metrics endpoints. 2) Using network monitoring tools (e.g., netstat, ss) to identify active connections to suspicious JMX ports. 3) Capturing and analyzing HTTP PUT requests to /api/config endpoint for suspicious payloads setting metrics type to JMX. Example commands: - `netstat -anp | grep <kafka-ui-process>` to see active connections. - `curl -X GET http://<kafka-ui-host>/api/config` (if accessible) to review cluster configs. - Monitoring logs for PUT requests to /api/config with JMX metrics settings. These steps help identify if kafka-ui is connecting to potentially malicious JMX servers that could trigger unsafe deserialization. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade kafka-ui to version 1.1.0 or later, where this unsafe deserialization vulnerability has been patched. Until the upgrade can be performed, restrict access to the kafka-ui server to trusted users and networks, and avoid adding or modifying Kafka clusters with metrics type set to JMX, especially from untrusted sources. Additionally, monitor and block suspicious network connections to external JMX endpoints from the kafka-ui server. Applying network-level controls and access restrictions can reduce the risk of exploitation. [1, 2]