BIT-kafka-2025-27817
Arbitrary File Read vulnerability in kafka-clients (Maven)
What is BIT-kafka-2025-27817 About?
This vulnerability in Apache Kafka Clients can lead to arbitrary file read and Server-Side Request Forgery (SSRF). By manipulating specific configuration settings, attackers can force the client to disclose file contents or make requests to arbitrary URLs, potentially escalating privileges. Exploitation is relatively easy if an untrusted party can control client configurations.
Affected Software
Technical Details
Apache Kafka Clients accept configuration parameters such as 'sasl.oauthbearer.token.endpoint.url' and 'sasl.oauthbearer.jwks.endpoint.url' for SASL/OAUTHBEARER connections. A flaw allows an untrusted party to specify arbitrary URLs or file paths in these configurations. When specified, the client will attempt to read the content of these files or make requests to the provided URLs. The content read from arbitrary files or responses from unintended URL requests can then be returned in the client's error log, allowing for information disclosure (e.g., reading environment variables or sensitive files) or SSRF attacks, particularly when used in Apache Kafka Connect to escalate from REST API access.
What is the Impact of BIT-kafka-2025-27817?
Successful exploitation may allow attackers to read arbitrary files from the system, retrieve environment variables, and make requests to unintended network locations, leading to information disclosure or further network compromise.
What is the Exploitability of BIT-kafka-2025-27817?
Exploitation requires an attacker to be able to supply or modify specific Apache Kafka Clients configuration data, specifically 'sasl.oauthbearer.token.endpoint.url' and 'sasl.oauthbearer.jwks.endpoint.url'. This makes the vulnerability highly dependent on the application's design; if configurations can be specified by an untrusted party, exploitation is straightforward. There are no specific authentication or privilege requirements beyond the ability to influence these configuration strings. Both local and remote vectors are possible depending on how the configuration is exposed. The primary risk factor is the deployment of Apache Kafka Connect or similar applications where untrusted input can reach these sensitive configuration parameters.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| kk12-30 | Link | CVE-2025-27817 |
| iSee857 | Link | Apache Kafka客户端未对用户输入进行严格验证和限制,未经身份验证的攻击者可通过构造恶意配置读取环境变量或磁盘任意内容,或向非预期位置发送请求,提升REST API的文件系统/环境/URL访问权限。 |
What are the Available Fixes for BIT-kafka-2025-27817?
Available Upgrade Options
- org.apache.kafka:kafka-clients
- >3.1.0, <3.9.1 → Upgrade to 3.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://kafka.apache.org/cve-list
- https://nvd.nist.gov/vuln/detail/CVE-2025-27817
- http://www.openwall.com/lists/oss-security/2025/06/09/1
- https://github.com/apache/kafka
- https://osv.dev/vulnerability/GHSA-vgq5-3255-v292
- https://kafka.apache.org/cve-list
- http://www.openwall.com/lists/oss-security/2025/06/09/1
What are Similar Vulnerabilities to BIT-kafka-2025-27817?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2023-25136 , CVE-2023-34035 , CVE-2023-27536 , CVE-2022-35914
