Red Hat Security Advisory: Streams for Apache Kafka 2.9.2 release and security update
Red Hat Streams for Apache Kafka 2. 9. 2 includes security updates addressing two vulnerabilities: CVE-2025-48924, an uncontrolled recursion issue in Apache Commons Lang3, and CVE-2025-55163, an HTTP/2 DDoS vulnerability in Netty's netty-codec-http2 component. This release replaces version 2. 9. 1 and provides important security and bug fixes. The update is rated as having a moderate security impact by Red Hat Product Security.
AI Analysis
Technical Summary
Red Hat Streams for Apache Kafka 2.9.2 addresses two security vulnerabilities. The first, CVE-2025-48924, involves uncontrolled recursion in the Apache Commons Lang3 library used by Kafka, which could potentially lead to denial of service or application instability. The second, CVE-2025-55163, is a denial-of-service vulnerability in the Netty HTTP/2 codec (netty-codec-http2) component, known as the 'Netty MadeYouReset HTTP/2 DDoS Vulnerability'. This release replaces version 2.9.1 and includes these security fixes along with other bug fixes and enhancements. Red Hat rates the overall security impact of this update as Moderate.
Potential Impact
The vulnerabilities fixed in this update could allow denial-of-service conditions due to uncontrolled recursion or HTTP/2 protocol abuse. These issues may affect the stability and availability of services relying on Red Hat Streams for Apache Kafka. No known exploits in the wild have been reported at the time of this advisory.
Mitigation Recommendations
Red Hat has released Streams for Apache Kafka version 2.9.2 which includes fixes for the identified vulnerabilities. Users should upgrade from version 2.9.1 or earlier to 2.9.2 after ensuring all previously released errata relevant to their system have been applied. Refer to Red Hat's official update instructions at https://access.redhat.com/articles/11258 for proper application of this update.
Red Hat Security Advisory: Streams for Apache Kafka 2.9.2 release and security update
Description
Red Hat Streams for Apache Kafka 2. 9. 2 includes security updates addressing two vulnerabilities: CVE-2025-48924, an uncontrolled recursion issue in Apache Commons Lang3, and CVE-2025-55163, an HTTP/2 DDoS vulnerability in Netty's netty-codec-http2 component. This release replaces version 2. 9. 1 and provides important security and bug fixes. The update is rated as having a moderate security impact by Red Hat Product Security.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Red Hat Streams for Apache Kafka 2.9.2 addresses two security vulnerabilities. The first, CVE-2025-48924, involves uncontrolled recursion in the Apache Commons Lang3 library used by Kafka, which could potentially lead to denial of service or application instability. The second, CVE-2025-55163, is a denial-of-service vulnerability in the Netty HTTP/2 codec (netty-codec-http2) component, known as the 'Netty MadeYouReset HTTP/2 DDoS Vulnerability'. This release replaces version 2.9.1 and includes these security fixes along with other bug fixes and enhancements. Red Hat rates the overall security impact of this update as Moderate.
Potential Impact
The vulnerabilities fixed in this update could allow denial-of-service conditions due to uncontrolled recursion or HTTP/2 protocol abuse. These issues may affect the stability and availability of services relying on Red Hat Streams for Apache Kafka. No known exploits in the wild have been reported at the time of this advisory.
Mitigation Recommendations
Red Hat has released Streams for Apache Kafka version 2.9.2 which includes fixes for the identified vulnerabilities. Users should upgrade from version 2.9.1 or earlier to 2.9.2 after ensuring all previously released errata relevant to their system have been applied. Refer to Red Hat's official update instructions at https://access.redhat.com/articles/11258 for proper application of this update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2025:15697
- Cve Count
- 2
- Additional Cves
- ["CVE-2025-55163"]
- Cvss Version
- null
Threat ID: 6a294d7e8dd33fbd853ac73a
Added to database: 6/10/2026, 11:41:50 AM
Last enriched: 6/10/2026, 12:01:06 PM
Last updated: 6/10/2026, 2:17:10 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.