This advisory covers Red Hat Streams for Apache Kafka 3.1.0, which replaces version 3.0.1 and includes security and bug fixes. The update addresses 12 distinct vulnerabilities: Netty's BrotliDecoder is vulnerable to DoS via zip bomb (CVE-2025-58057); Netty is vulnerable to HTTP request smuggling due to incorrect chunk extension parsing (CVE-2025-58056); Netty MadeYouReset HTTP/2 DDoS vulnerability (CVE-2025-55163); uncontrolled recursion in Apache Commons Lang3 (CVE-2025-48924); memory leak in Quarkus RESTEasy Classic (CVE-2025-1634); data leak in Quarkus Vert.x package (CVE-2025-49574); SCRAM authentication replay attacks in Apache Kafka when used without encryption (CVE-2024-56128); Kafka client arbitrary file read SSRF (CVE-2025-27817); Kafka client remote code execution vulnerabilities (CVE-2025-27818, CVE-2025-27819); Eclipse Vert.x access control flaw (CVE-2025-11965); and Vert.x cross-site scripting (CVE-2025-11966). The advisory is published by Red Hat Product Security as RHSA-2025:23417 and rates the security impact as Moderate.

The vulnerabilities collectively impact multiple components of Red Hat Streams for Apache Kafka, potentially allowing denial of service attacks, request smuggling, replay attacks on authentication, memory leaks, data leaks, arbitrary file read, remote code execution, access control bypass, and cross-site scripting. These issues could affect the confidentiality, integrity, and availability of the affected systems if exploited. However, no known exploits in the wild have been reported at the time of this advisory.

Red Hat has released Streams for Apache Kafka 3.1.0 as a replacement for version 3.0.1, which includes fixes for all listed vulnerabilities. Users should apply this update after ensuring all previously released errata relevant to their system have been applied. Detailed update instructions are available from Red Hat's customer portal. No additional mitigation steps are indicated beyond applying the official update.