CVE-2025-27818: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Kafka
A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0). When configuring the broker via config file or AlterConfig command, or connector via the Kafka Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.LdapLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" are disabled in Apache Kafka Connect 3.9.1/4.0.0. We advise the Kafka users to validate connector configurations and only allow trusted LDAP configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally, in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.
AI Analysis
Technical Summary
CVE-2025-27818 is a high-severity vulnerability in Apache Kafka, specifically affecting Kafka Connect components from version 2.3.0 onward. The vulnerability arises from unsafe deserialization of untrusted data (CWE-502) via LDAP responses when an authenticated operator configures Kafka Connect connectors with malicious SASL JAAS configurations. An attacker with privileges to alter cluster configurations or create/modify connectors can set the `sasl.jaas.config` property to use the "com.sun.security.auth.module.LdapLoginModule". This causes the Kafka Connect server to connect to an attacker-controlled LDAP server, which can return crafted LDAP responses that trigger Java deserialization gadget chains. If vulnerable gadget classes are present in the classpath, this leads to remote code execution (RCE) on the Kafka Connect server. The vulnerability requires at least limited privileges (ability to alter cluster configs or connectors) and no user interaction. Since Apache Kafka 3.0.0, these properties can be set more easily in connector configurations, increasing the attack surface. Mitigations introduced in Kafka 3.9.1/4.0.0 include disabling dangerous login modules by default via the system property "-Dorg.apache.kafka.disallowed.login.modules" and allowing administrators to enforce connector client config override policies to restrict which Kafka client properties can be overridden. Users are advised to validate connector configurations to allow only trusted LDAP settings, audit connector dependencies for vulnerable versions, upgrade or remove risky connectors, and leverage the new system property and override policies to prevent exploitation. The CVSS 3.1 score is 8.8 (high), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
For European organizations using Apache Kafka, especially those deploying Kafka Connect clusters, this vulnerability poses a significant risk. Successful exploitation can lead to full remote code execution on Kafka Connect servers, potentially compromising sensitive data streams, disrupting critical data pipelines, and enabling lateral movement within enterprise networks. Given Kafka's widespread use in financial services, telecommunications, manufacturing, and public sector infrastructures across Europe, an attacker could leverage this vulnerability to exfiltrate confidential information, manipulate data integrity, or cause denial of service. The requirement for authenticated access to alter configurations limits exposure to insiders or attackers who have already breached perimeter defenses, but the impact remains severe. Organizations relying on Kafka Connect for integrating external data sources or sinks are particularly at risk if connector configurations are not tightly controlled. The vulnerability also raises compliance concerns under GDPR and other data protection regulations due to potential unauthorized data access and processing disruptions.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Immediately audit all Kafka Connect cluster configurations and connector settings to identify any use of `sasl.jaas.config` properties referencing LDAP login modules, and remove or restrict them to trusted LDAP servers only. 2) Upgrade Apache Kafka to version 3.9.1 or later, where the system property `-Dorg.apache.kafka.disallowed.login.modules` disables dangerous login modules by default. 3) Define and enforce strict connector client config override policies to prevent unauthorized override of SASL JAAS configurations in connector definitions. 4) Review and update connector dependencies to eliminate vulnerable deserialization gadget classes from the classpath, or remove untrusted connectors altogether. 5) Implement strong access controls and monitoring on Kafka cluster administrative interfaces to prevent unauthorized configuration changes. 6) Employ network segmentation and firewall rules to restrict Kafka Connect servers’ outbound LDAP connections to only trusted servers. 7) Conduct regular security training for operators managing Kafka clusters to recognize and avoid risky configuration practices. 8) Monitor Kafka Connect logs and network traffic for suspicious LDAP connections or configuration changes indicative of exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland
CVE-2025-27818: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Kafka
Description
A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0). When configuring the broker via config file or AlterConfig command, or connector via the Kafka Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.LdapLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" are disabled in Apache Kafka Connect 3.9.1/4.0.0. We advise the Kafka users to validate connector configurations and only allow trusted LDAP configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally, in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.
AI-Powered Analysis
Technical Analysis
CVE-2025-27818 is a high-severity vulnerability in Apache Kafka, specifically affecting Kafka Connect components from version 2.3.0 onward. The vulnerability arises from unsafe deserialization of untrusted data (CWE-502) via LDAP responses when an authenticated operator configures Kafka Connect connectors with malicious SASL JAAS configurations. An attacker with privileges to alter cluster configurations or create/modify connectors can set the `sasl.jaas.config` property to use the "com.sun.security.auth.module.LdapLoginModule". This causes the Kafka Connect server to connect to an attacker-controlled LDAP server, which can return crafted LDAP responses that trigger Java deserialization gadget chains. If vulnerable gadget classes are present in the classpath, this leads to remote code execution (RCE) on the Kafka Connect server. The vulnerability requires at least limited privileges (ability to alter cluster configs or connectors) and no user interaction. Since Apache Kafka 3.0.0, these properties can be set more easily in connector configurations, increasing the attack surface. Mitigations introduced in Kafka 3.9.1/4.0.0 include disabling dangerous login modules by default via the system property "-Dorg.apache.kafka.disallowed.login.modules" and allowing administrators to enforce connector client config override policies to restrict which Kafka client properties can be overridden. Users are advised to validate connector configurations to allow only trusted LDAP settings, audit connector dependencies for vulnerable versions, upgrade or remove risky connectors, and leverage the new system property and override policies to prevent exploitation. The CVSS 3.1 score is 8.8 (high), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
For European organizations using Apache Kafka, especially those deploying Kafka Connect clusters, this vulnerability poses a significant risk. Successful exploitation can lead to full remote code execution on Kafka Connect servers, potentially compromising sensitive data streams, disrupting critical data pipelines, and enabling lateral movement within enterprise networks. Given Kafka's widespread use in financial services, telecommunications, manufacturing, and public sector infrastructures across Europe, an attacker could leverage this vulnerability to exfiltrate confidential information, manipulate data integrity, or cause denial of service. The requirement for authenticated access to alter configurations limits exposure to insiders or attackers who have already breached perimeter defenses, but the impact remains severe. Organizations relying on Kafka Connect for integrating external data sources or sinks are particularly at risk if connector configurations are not tightly controlled. The vulnerability also raises compliance concerns under GDPR and other data protection regulations due to potential unauthorized data access and processing disruptions.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Immediately audit all Kafka Connect cluster configurations and connector settings to identify any use of `sasl.jaas.config` properties referencing LDAP login modules, and remove or restrict them to trusted LDAP servers only. 2) Upgrade Apache Kafka to version 3.9.1 or later, where the system property `-Dorg.apache.kafka.disallowed.login.modules` disables dangerous login modules by default. 3) Define and enforce strict connector client config override policies to prevent unauthorized override of SASL JAAS configurations in connector definitions. 4) Review and update connector dependencies to eliminate vulnerable deserialization gadget classes from the classpath, or remove untrusted connectors altogether. 5) Implement strong access controls and monitoring on Kafka cluster administrative interfaces to prevent unauthorized configuration changes. 6) Employ network segmentation and firewall rules to restrict Kafka Connect servers’ outbound LDAP connections to only trusted servers. 7) Conduct regular security training for operators managing Kafka clusters to recognize and avoid risky configuration practices. 8) Monitor Kafka Connect logs and network traffic for suspicious LDAP connections or configuration changes indicative of exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- apache
- Date Reserved
- 2025-03-07T09:34:38.930Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68487f551b0bd07c3938a24c
Added to database: 6/10/2025, 6:54:13 PM
Last enriched: 8/22/2025, 12:43:31 AM
Last updated: 9/16/2025, 2:17:25 PM
Views: 39
Related Threats
CVE-2025-60165: CWE-862 Missing Authorization in HaruTheme Frames
MediumCVE-2025-60167: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in honzat Page Manager for Elementor
MediumCVE-2025-60166: CWE-862 Missing Authorization in wpshuffle WP Subscription Forms PRO
MediumCVE-2025-59843: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor in FlagForgeCTF flagForge
MediumCVE-2025-11028: Information Disclosure in givanz Vvveb
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.