CVE-2025-27817— Apache Kafka Client: Arbitrary file read and SSRF vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-27817
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Kafka Client: Arbitrary file read and SSRF vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Kafka Client 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Kafka Client是美国阿帕奇(Apache)基金会的一款Kafka客户端。 Apache Kafka Client存在安全漏洞,该漏洞源于配置数据验证不足,可能导致任意文件读取和服务端请求伪造。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Kafka Client | 3.1.0 ~ 3.9.0 | - |
II. Public POCs for CVE-2025-27817
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Apache%20Kafka%20Clients%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E4%B8%8ESSRF%20%E6%BC%8F%E6%B4%9E%20CVE-2025-27817.md | POC Details |
| 2 | CVE-2025-27817 | https://github.com/kk12-30/CVE-2025-27817 | POC Details |
| 3 | Apache Kafka客户端未对用户输入进行严格验证和限制,未经身份验证的攻击者可通过构造恶意配置读取环境变量或磁盘任意内容,或向非预期位置发送请求,提升REST API的文件系统/环境/URL访问权限。 | https://github.com/iSee857/CVE-2025-27817 | POC Details |
| 4 | Apache Kafka 4.1.0 (KRaft) with Keycloak OAuth2 authentication using Strimzi - bypasses CVE-2025-27817 URL allowlist restriction | https://github.com/oriolrius/kafka-keycloak-oauth | POC Details |
| 5 | Apache Kafka Client contains arbitrary file read and server-side request forgery caused by untrusted configuration of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url, letting attackers read files or send requests to unintended locations, exploit requires untrusted party to specify client configurations. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-27817.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-27817
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2025-06-10 · 8 CVEs total
| CVE-2025-30675 | 4.7 MEDIUM | Apache CloudStack: Unauthorised template/ISO list access to the domain/resource admins |
| CVE-2025-27818 | Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration | |
| CVE-2025-27819 | Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configur | |
| CVE-2025-47713 | Apache CloudStack: Domain Admin can reset Admin password in Root Domain | |
| CVE-2025-47849 | Apache CloudStack: Insecure access of user's API/Secret Keys in the same domain | |
| CVE-2025-26521 | Apache CloudStack: CKS cluster in project exposes user API keys | |
| CVE-2025-22829 | Apache CloudStack: Unauthorised access to dedicated resources in Quota plugin |
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
V. Comments for CVE-2025-27817
No comments yet