CVE Reference
CVE-2025-27818 , CVE-2025-27819
Impacted versions
- Confluent Platform <= 7.1.15, 7.2.13, 7.3.11, 7.4.8, 7.5.7, 7.6.4 ,7.7.2 , 7.8.1
- ksqlDB managed clusters on Confluent Cloud
Recommended Action
- Confluent Platform: Please upgrade to Confluent Platform 7.1.16, 7.2.14, 7.3.12, 7.4.9, 7.5.8, 7.6.5, 7.7.3, 7.8.2
- Confluent Cloud: ksqlDB managed Confluent Cloud clusters were identified to be vulnerable to this issue. However, all managed clusters have been upgraded. Please note that no security impact was observed for the impacted clusters. No further action is necessary at this time.
Issue
CVE-2023-25194 previously allowed a privileged attacker to trigger deserialisation of untrusted data that could lead to Remote Code Execution (RCE) by providing malicious sasl.jaas.config property of Kafka clients by leveraging a default system login module com.sun.security.auth.module.JndiLoginModule. This issue was fixed by introducing a system property -Dorg.apache.kafka.disallowed.login.modules system property to disallow the JndiLoginModule. Details on this issue and fix are available in CONFSA-2023-02.
As part of security issues identified in Apache Kafka (CVE-2025-27818, CVE-2025-27819), it was additionally discovered that the com.sun.security.auth.module.LdapLoginModule can also trigger the same deserialization vulnerability via arbitrary JNDI properties by providing misconfigured sasl.jaas.config property of internal Kafka clients (Note: Such configurations would require administrator privileges to be able to configure an internal Kafka client), and Kafka brokers are also considered to be impacted by the previous vulnerability (Note: This would require administrative privileges on the cluster resource). This would allow arbitrary connections to an attacker-controlled LDAP server, and can result in the deserialization of untrusted LDAP responses. Successful exploitation can result in Remote Code Execution (RCE) on vulnerable Confluent Platform components like Connect, ksqlDB, and Cluster Linking.
Remediation
Confluent Platform: This issue is resolved in Confluent Platform patch release versions 7.1.16, 7.2.14, 7.3.12, 7.4.9, 7.5.8, 7.6.5, 7.7.3 and 7.8.2. Customers are advised to upgrade to these latest release versions to adequately mitigate this vulnerability. These fixes extend the default disallowed login modules list to include additional login modules that could trigger deserialization of untrusted data.
Workarounds:
- If immediate upgrades are not possible, customers are advised to override the default JVM system property i.e -Dorg.apache.kafka.disallowed.login.modules=com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule
- Additionally, the property connector.client.config.override.policy can be set to none for Connect worker configuration to prevent Kafka client configuration overrides in Confluent Platform Connect components.
Confluent Cloud: This issue has already been resolved in Confluent Cloud and no further action is necessary.
CVSS Score: 8.8
CVSS v3.1 Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1