CVE-2025-27818: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Kafka
A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0). When configuring the broker via config file or AlterConfig command, or connector via the Kafka Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.LdapLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" are disabled in Apache Kafka Connect 3.9.1/4.0.0. We advise the Kafka users to validate connector configurations and only allow trusted LDAP configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally, in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.
AI Analysis
Technical Summary
CVE-2025-27818 is a critical deserialization vulnerability classified under CWE-502 affecting Apache Kafka versions starting from 2.3.0. The flaw requires an attacker to have authenticated access with permissions to alter cluster configurations or Kafka Connect worker settings, specifically the ability to create or modify connectors. The attacker can exploit the ability to set the `sasl.jaas.config` property for Kafka clients within connector configurations to specify the use of the `com.sun.security.auth.module.LdapLoginModule`. This causes the Kafka Connect server to connect to an attacker-controlled LDAP server and deserialize the LDAP response. If the classpath contains vulnerable Java deserialization gadgets, this can lead to remote code execution (RCE). Prior to Kafka 3.0.0, such overrides were restricted unless explicitly allowed by a connector client override policy, but from 3.0.0 onward, these properties can be set by default in connector configurations, increasing exposure. To mitigate this, Apache Kafka 3.9.1 and 4.0.0 introduced a system property `-Dorg.apache.kafka.disallowed.login.modules` that disables the use of dangerous login modules such as `JndiLoginModule` and `LdapLoginModule`. Additionally, Kafka users should validate connector configurations to ensure only trusted LDAP configurations are used, audit connector dependencies for vulnerable versions, and implement strict connector client config override policies to control which Kafka client properties can be overridden. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required.
Potential Impact
This vulnerability poses a significant risk to organizations running Apache Kafka clusters, especially those using Kafka Connect with default or permissive connector client override policies. Successful exploitation can lead to remote code execution on Kafka Connect servers, potentially allowing attackers to execute arbitrary code, compromise sensitive data, disrupt message streaming pipelines, and pivot within internal networks. Given Kafka's widespread use in critical data streaming and real-time processing infrastructures across industries such as finance, telecommunications, and cloud services, the impact can be severe, including data breaches, service outages, and loss of trust. The requirement for authenticated access with specific permissions limits exploitation to insiders or attackers who have already compromised credentials, but the ease of exploitation once access is gained and the high privileges involved make this a critical threat. Organizations using vulnerable Kafka versions without mitigations are at risk of targeted attacks, especially in environments where connector configurations are not tightly controlled or audited.
Mitigation Recommendations
To mitigate CVE-2025-27818, organizations should: 1) Upgrade Apache Kafka to version 3.9.1 or later, or 4.0.0 or later, where the system property `-Dorg.apache.kafka.disallowed.login.modules` disables dangerous login modules by default. 2) Implement strict connector client config override policies to restrict which Kafka client properties can be overridden in connector configurations, preventing unauthorized setting of `sasl.jaas.config` properties. 3) Audit all connector configurations to ensure that only trusted and validated LDAP configurations are used, avoiding connections to untrusted LDAP servers. 4) Review and update connector dependencies to remove or upgrade any libraries that include unsafe Java deserialization gadgets. 5) Limit alterConfig permissions to trusted administrators and monitor for unusual configuration changes or connector creations. 6) Employ network segmentation and monitoring to detect and block unauthorized LDAP connections initiated by Kafka Connect servers. 7) Regularly review Kafka Connect logs and security alerts for signs of exploitation attempts. These steps go beyond generic advice by focusing on configuration validation, permission management, and dependency auditing specific to this vulnerability.
Affected Countries
United States, Germany, United Kingdom, France, Japan, South Korea, India, Canada, Australia, Netherlands, Brazil, Singapore
CVE-2025-27818: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Kafka
Description
A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0). When configuring the broker via config file or AlterConfig command, or connector via the Kafka Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.LdapLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" are disabled in Apache Kafka Connect 3.9.1/4.0.0. We advise the Kafka users to validate connector configurations and only allow trusted LDAP configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally, in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-27818 is a critical deserialization vulnerability classified under CWE-502 affecting Apache Kafka versions starting from 2.3.0. The flaw requires an attacker to have authenticated access with permissions to alter cluster configurations or Kafka Connect worker settings, specifically the ability to create or modify connectors. The attacker can exploit the ability to set the `sasl.jaas.config` property for Kafka clients within connector configurations to specify the use of the `com.sun.security.auth.module.LdapLoginModule`. This causes the Kafka Connect server to connect to an attacker-controlled LDAP server and deserialize the LDAP response. If the classpath contains vulnerable Java deserialization gadgets, this can lead to remote code execution (RCE). Prior to Kafka 3.0.0, such overrides were restricted unless explicitly allowed by a connector client override policy, but from 3.0.0 onward, these properties can be set by default in connector configurations, increasing exposure. To mitigate this, Apache Kafka 3.9.1 and 4.0.0 introduced a system property `-Dorg.apache.kafka.disallowed.login.modules` that disables the use of dangerous login modules such as `JndiLoginModule` and `LdapLoginModule`. Additionally, Kafka users should validate connector configurations to ensure only trusted LDAP configurations are used, audit connector dependencies for vulnerable versions, and implement strict connector client config override policies to control which Kafka client properties can be overridden. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required.
Potential Impact
This vulnerability poses a significant risk to organizations running Apache Kafka clusters, especially those using Kafka Connect with default or permissive connector client override policies. Successful exploitation can lead to remote code execution on Kafka Connect servers, potentially allowing attackers to execute arbitrary code, compromise sensitive data, disrupt message streaming pipelines, and pivot within internal networks. Given Kafka's widespread use in critical data streaming and real-time processing infrastructures across industries such as finance, telecommunications, and cloud services, the impact can be severe, including data breaches, service outages, and loss of trust. The requirement for authenticated access with specific permissions limits exploitation to insiders or attackers who have already compromised credentials, but the ease of exploitation once access is gained and the high privileges involved make this a critical threat. Organizations using vulnerable Kafka versions without mitigations are at risk of targeted attacks, especially in environments where connector configurations are not tightly controlled or audited.
Mitigation Recommendations
To mitigate CVE-2025-27818, organizations should: 1) Upgrade Apache Kafka to version 3.9.1 or later, or 4.0.0 or later, where the system property `-Dorg.apache.kafka.disallowed.login.modules` disables dangerous login modules by default. 2) Implement strict connector client config override policies to restrict which Kafka client properties can be overridden in connector configurations, preventing unauthorized setting of `sasl.jaas.config` properties. 3) Audit all connector configurations to ensure that only trusted and validated LDAP configurations are used, avoiding connections to untrusted LDAP servers. 4) Review and update connector dependencies to remove or upgrade any libraries that include unsafe Java deserialization gadgets. 5) Limit alterConfig permissions to trusted administrators and monitor for unusual configuration changes or connector creations. 6) Employ network segmentation and monitoring to detect and block unauthorized LDAP connections initiated by Kafka Connect servers. 7) Regularly review Kafka Connect logs and security alerts for signs of exploitation attempts. These steps go beyond generic advice by focusing on configuration validation, permission management, and dependency auditing specific to this vulnerability.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- apache
- Date Reserved
- 2025-03-07T09:34:38.930Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68487f551b0bd07c3938a24c
Added to database: 6/10/2025, 6:54:13 PM
Last enriched: 2/27/2026, 1:25:43 AM
Last updated: 3/22/2026, 9:34:12 PM
Views: 82
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.