CodeNewbie Community 🌱

Sharon428931
Sharon428931

Posted on

New Kafka Connect Vulnerability (CVE-2025-27817) Lets Attackers Read Any File

#webdev #vulnerabilities #cybersecurity

About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

On June 10, 2025, the Apache team released a security advisory for a critical vulnerability in Kafka Connect: CVE-2025-27817. This flaw allows unauthenticated attackers to remotely read arbitrary files from the server—no user interaction required.

If you’re using Apache Kafka Connect or systems that integrate it (like Apache Druid), you need to patch ASAP.

What’s the issue?

Kafka Connect’s vulnerability comes from insecure handling of two configuration parameters:

  • sasl.oauthbearer.token.endpoint.url
  • sasl.oauthbearer.jwks.endpoint.url

These were not properly sanitized. By crafting malicious URLs, attackers can trigger arbitrary file reads or even perform SSRF (Server-Side Request Forgery).

Potential Impact

  • Arbitrary File Read: Attackers can access sensitive files on the server, including credentials and config files.
  • No authentication required
  • Works under default configuration
  • High risk, easy to exploit
  • Impacts remote systems over the network

Affected Versions 

Apache Kafka: 3.1.0 – 3.9.0
Enter fullscreen mode Exit fullscreen mode

How to fix it

Temporary Workarounds

  • Don’t expose Kafka Connect directly to the internet.
  • In standalone mode, check and restrict the following:
    • connect-standalone.properties: listeners, rest.host.name
  • In distributed mode:
    • connect-distributed.properties: listeners, rest.host.name
  • Use a Web Application Firewall (like SafeLine) or firewall rules to block suspicious requests to /connectors with file paths.

Official Patch

Apache has released version 3.9.1, which addresses this issue. Upgrade now:

Download Kafka 3.9.1

Reproduction

Image description

Image description

Detection & Protection

Product Support for Detection/Protection
YunTu Fingerprint & PoC detection supported
DongJian Detection support released on June 11
SafeLine Detects exploit behavior starting June 11
QuanXi Exploit detection supported by default

Timeline

  • June 10, 2025: CVE disclosure and advisory published by Apache and Changting Security Team.

References

Join the SafeLine Community

Top comments (0)

Read next

fastesttrains1010 profile image

Building My First Tech-Powered Side Project — Inspired by Trains!

Paul Phoenix -

jluislopezseo profile image

Reflexionando sobre la Evolución de la IA: Dos Años Después

José Luis López -

nanneparmar profile image

Fintech Isn’t Just About Apps — It’s a $1 Trillion Infrastructure Opportunity

Nanne Parmar -

hemanth22 profile image

Jenkins deployment integration with HashiCorp Vault

Hemanth B -