Impacted Versions
- Confluent Platform versions <= CP 7.3.13, <= 7.4.10, <= 7.5.9, <= 7.6.6,<= 7.7.4, <= 7.8.3, <= 7.9.2, =8.0.0, Confluent Cloud managed clusters
Recommended Action
- Please upgrade to CP versions: 7.3.14, 7.4.11, 7.5.10, 7.6.7, 7.7.5, 7.8.4, 7.9.3, 8.0.1
- Confluent Cloud: Managed Confluent Cloud clusters were identified to be vulnerable to this issue. However, all managed clusters have been upgraded. Please note that no security impact was observed for the impacted clusters. No further action is necessary at this time.
Issue
A security issue was identified to impact both Confluent Platform and Confluent Cloud managed clusters due to the reliance on vulnerable dependencies Jetty versions 9.4.57, 12.0.24 that are affected by CVE-2025-5115, and Netty version 4.1.118 that is affected by CVE-2025-55163.
This vulnerability is due to the way HTTP/2 servers handle request cancellation that can lead to resource exhaustion. A malicious client can abuse the stream lifecycle of HTTP/2 connection and create a large number of requests that can be immediately canceled, creating resource exhaustion on the server handling these requests.
Remediation
- Confluent Cloud: Managed Confluent Cloud clusters are already patched to address this issue.
- Confluent Platform: This issue is resolved in the CP patch release versions 7.3.14, 7.4.11, 7.5.10, 7.6.7, 7.7.5, 7.8.4, 7.9.3, 8.0.1. These fixes adequately address this issue by updating the vulnerable libraries Jetty to version 9.4.58 in Confluent Platform 7.3.14, 7.4.11, 7.5.10, 7.6.7, 7.7.5, 7.8.4, 7.9.3, and version 12.0.25 in Confluent Platform 8.0.1, and Netty to version 4.1.125.Final that effectively mitigate this vulnerability.
Original CVSS Scores:
7.5
Original CVSS Scores:
6.5
CVSS v3.1 Calculator:
- CVE-2025-8671: NVD - CVSS v3.1 Calculator Link
- CVE-2025-55163: NVD - CVSS v3.1 Calculator Link