CVE-2025-27818

Name of the Vulnerable Software and Affected Versions Apache Kafka versions 2.0.0 through 3.9.0 Apache Kafka versions 3.0.0 through 3.9.0, where users are allowed to specify properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations Apache Kafka versions 3.9.1 and 4.0.0, where a system property ("-Dorg.apache.kafka.disallowed.login.modules") has been added to disable problematic login modules usage in SASL JAAS configuration

Description A possible security vulnerability has been identified in Apache Kafka, requiring access to alterConfig to the cluster resource or Kafka Connect worker, and the ability to create or modify connectors with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol. This vulnerability allows an attacker to execute Java deserialization gadget chains on the Kafka Connect server, potentially causing unrestricted deserialization of untrusted data or RCE vulnerability when there are gadgets in the classpath. The sasl.jaas.config property can be set to "com.sun.security.auth.module.LdapLoginModule" via the producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config properties, allowing the server to connect to the attacker's LDAP server and deserialize the LDAP response.

Recommendations For Apache Kafka versions 2.0.0 through 3.9.0, validate connector configurations and only allow trusted LDAP configurations. Examine connector dependencies for vulnerable versions and either upgrade the connectors, upgrade the specific dependency, or remove the connectors as options for remediation. For Apache Kafka versions 3.0.0 through 3.9.0, implement a connector client config override policy to control which Kafka client properties can be overridden directly in a connector config and which cannot. For Apache Kafka versions 3.9.1 and 4.0.0, leverage the "org.apache.kafka.disallowed.login.modules" system property to disable problematic login modules usage in SASL JAAS configuration. Additionally, implement a connector client config override policy to control which Kafka client properties can be overridden directly in a connector config and which cannot.