CVE-2025-27819

Name of the Vulnerable Software and Affected Versions Apache Kafka versions prior to 3.4.0 Apache Kafka versions 3.4.0 through 3.9.0

Description The issue concerns a Remote Code Execution (RCE) and Denial of Service attack via the SASL JAAS JndiLoginModule configuration in the Kafka Connect API and Apache Kafka brokers. To exploit this, an attacker needs to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource.

Recommendations For Apache Kafka versions prior to 3.4.0, consider adding the system property "-Dorg.apache.kafka.disallowed.login.modules" to disable the problematic login modules usage in SASL JAAS configuration. For Apache Kafka versions 3.4.0 through 3.9.0, ensure that "com.sun.security.auth.module.JndiLoginModule" is disabled, as it is by default in Apache Kafka 3.4.0. For Apache Kafka versions 3.9.1 and 4.0.0, ensure that "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled, as it is by default.