Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-27817 PoC — Apache Kafka Client: Arbitrary file read and SSRF vulnerability

Source
https://github.com/iSee857/CVE-2025-27817
Associated Vulnerability
Title:Apache Kafka Client: Arbitrary file read and SSRF vulnerability (CVE-2025-27817)
Description:A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly.
Description
Apache Kafka客户端未对用户输入进行严格验证和限制,未经身份验证的攻击者可通过构造恶意配置读取环境变量或磁盘任意内容,或向非预期位置发送请求,提升REST API的文件系统/环境/URL访问权限。
Readme
# 免责申明:

本文所描述的漏洞及其复现步骤仅供网络安全研究与教育目的使用。任何人不得将本文提供的信息用于非法目的或未经授权的系统测试。作者不对任何由于使用本文信息而导致的直接或间接损害承担责任。如涉及侵权,请及时与我们联系,我们将尽快处理并删除相关内容。

博客地址:

https://blog.csdn.net/xc_214/article/details/148698902?spm=1001.2014.3001.5501

纷传地址:

25hvv poc实时更新中

https://pc.fenchuan8.com/#/index?forum=101158&yqm=DGR4X
![image](https://github.com/user-attachments/assets/56220714-f829-477d-af31-2bd23009dcf7)


# CVE-2025-27817
Apache Kafka客户端未对用户输入进行严格验证和限制,未经身份验证的攻击者可通过构造恶意配置读取环境变量或磁盘任意内容,或向非预期位置发送请求,提升REST API的文件系统/环境/URL访问权限。


# 影响版本:

3.1.0 <= Apache Kafka <= 3.9.0

慢但是100%准确率,遇到超时的情况自行调整timeout


![image](https://github.com/user-attachments/assets/82450a1c-3252-4c3b-a5b6-5385e5aafe9f)
File Snapshot

 [4.0K]  /data/pocs/33dac951a03b7722f726f729cb6177583b78fd51
├── [7.5K]  kafka-CVE-2025-27817-ReadAnyFile(SSRF).py
└── [1.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →