BIT-kafka-2025-27818
Unrestricted Deserialization vulnerability in kafka_2.11 (Maven)
What is BIT-kafka-2025-27818 About?
This vulnerability in Apache Kafka allows an authenticated operator to achieve unrestricted deserialization of untrusted data, potentially leading to Remote Code Execution (RCE). It is triggered by manipulating Kafka client SASL JAAS configuration properties (`sasl.jaas.config`) to point to an attacker-controlled LDAP server. Exploitation requires specific access and configuration, making it moderately difficult.
Affected Software
- org.apache.kafka:kafka_2.11
- >=2.3.0, <=2.4.1
- org.apache.kafka:kafka_2.12
- >=2.3.0, <3.9.1
- org.apache.kafka:kafka_2.13
- >=2.4.0, <3.9.1
Technical Details
The vulnerability lies in the ability of an authenticated operator with alterConfig privileges to the cluster resource, or Kafka Connect worker and the ability to create/modify connectors, to manipulate sasl.jaas.config properties for Kafka clients within connector configurations, specifically producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config. By setting this property to com.sun.security.auth.module.LdapLoginModule, the Kafka Connect server is tricked into connecting to an attacker-controlled LDAP server. The LDAP server's response can contain serialized Java objects, which the Kafka Connect server will deserialize without proper validation, leading to unrestricted deserialization of untrusted data. If suitable gadget chains exist in the classpath, this can result in Remote Code Execution on the Kafka Connect server.
What is the Impact of BIT-kafka-2025-27818?
Successful exploitation may allow attackers to execute arbitrary code on the Kafka Connect server, leading to full system compromise, data theft, and disruption of service.
What is the Exploitability of BIT-kafka-2025-27818?
Exploitation requires a significant level of complexity and specific access. An attacker must be an authenticated operator with alterConfig privileges on the cluster resource or a Kafka Connect worker, and have the ability to create/modify connectors. The authentication is intrinsic to the attack, as these privileges are necessary to manipulate the sasl.jaas.config. The attack can be considered remote, as it relies on manipulating configurations that then trigger a connection to an external LDAP server controlled by the attacker. Special conditions include the use of a SASL-based security protocol and the availability of deserialization gadget chains on the Kafka Connect server's classpath. The introduction of system properties to disable problematic login modules in newer Kafka versions makes exploitation harder, as does the ability for users to implement custom client config override policies.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-kafka-2025-27818?
Available Upgrade Options
- org.apache.kafka:kafka_2.12
- >=2.3.0, <3.9.1 → Upgrade to 3.9.1
- org.apache.kafka:kafka_2.13
- >=2.4.0, <3.9.1 → Upgrade to 3.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2025/06/09/2
- http://www.openwall.com/lists/oss-security/2025/06/09/2
- https://github.com/apache/kafka
- https://nvd.nist.gov/vuln/detail/CVE-2025-27818
- https://osv.dev/vulnerability/GHSA-76qp-h5mr-frr4
- https://kafka.apache.org/cve-list
- https://kafka.apache.org/cve-list
What are Similar Vulnerabilities to BIT-kafka-2025-27818?
Similar Vulnerabilities: CVE-2023-34039 , CVE-2023-25194 , CVE-2022-23307 , CVE-2021-44228 , CVE-2020-9496
