CVE-2025-27817: 
Java vulnerability analysis and mitigation

A possible arbitrary file read and Server-Side Request Forgery (SSRF) vulnerability has been identified in Apache Kafka Client versions 3.1.0 through 3.9.0. The vulnerability was discovered and disclosed on June 9, 2025, affecting Apache Kafka Clients that accept configuration data for SASL/OAUTHBEARER connection with brokers (Kafka CVE List, OSS Security).

The vulnerability stems from the way Apache Kafka Clients handle configuration parameters 'sasl.oauthbearer.token.endpoint.url' and 'sasl.oauthbearer.jwks.endpoint.url'. These parameters can be exploited to read arbitrary files and return their content in error logs, or to send requests to unintended locations. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high severity with potential for unauthorized information disclosure (NVD).

In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers can exploit this vulnerability to read arbitrary contents of the disk and environment variables or make requests to unintended locations. This is particularly concerning in Apache Kafka Connect environments, where the vulnerability can be used to escalate from REST API access to filesystem/environment/URL access, posing significant risks especially in SaaS products (Kafka CVE List).

Since Apache Kafka 3.9.1/4.0.0, a system property '-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls' has been introduced to set the allowed URLs in SASL JAAS configuration. In version 3.9.1, it accepts all URLs by default for backward compatibility, while in 4.0.0 and newer versions, the default value is an empty list and users must explicitly set the allowed URLs. Users are advised to upgrade to version 3.9.1 or later and configure the JVM system property appropriately (Kafka CVE List).