CVE-2025-27817 Overview
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url. Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url configuration to read arbitrary contents of the disk and environment variables or make requests to an unintended location. This flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products.
Critical Impact
This vulnerability can lead to unauthorized data access and network exploitation, potentially exposing sensitive information and affecting system confidentiality.
Affected Products
- Apache Kafka Client
- Apache Kafka Connect
- Apache Kafka Brokers
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Apache
- Not Available - CVE CVE-2025-27817 assigned
- Not Available - Apache releases security patch
- 2025-06-10 - CVE CVE-2025-27817 published to NVD
- 2025-07-11 - Last updated in NVD database
Technical Details for CVE-2025-27817
Vulnerability Analysis
The vulnerability lies in the mishandling of URL configurations in Apache Kafka Clients, allowing unauthorized file reads and SSRF. The sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url configurations can be manipulated by untrusted inputs, resulting in arbitrary content access and undesirable request routing.
Root Cause
The root cause of the issue is improper validation of client-provided endpoint URLs in the SASL/OAUTHBEARER mechanism, which fails to restrict endpoint URLs to trusted sources.
Attack Vector
The network-based attack vector allows remote attackers to exploit this flaw when they can control or influence configuration data.
// Example exploitation code (sanitized)
String endpoint = getConfig("sasl.oauthbearer.token.endpoint.url");
URL url = new URL(endpoint);
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.connect();
Detection Methods for CVE-2025-27817
Indicators of Compromise
- Unexpected outbound network traffic to untrusted locations
- Unusual error log entries containing file content
- Configurations with untrusted sasl.oauthbearer URLs
Detection Strategies
Monitor configuration files for changes to sasl.oauthbearer properties. Implement network monitoring to identify traffic anomalies and verify log entries for unauthorized file access or network requests.
Monitoring Recommendations
Deploy network intrusion detection systems (NIDS) and log analysis tools to alert on suspicious access patterns and unauthorized external calls.
How to Mitigate CVE-2025-27817
Immediate Actions Required
- Validate and restrict sasl.oauthbearer URLs to trusted sources
- Review and audit Kafka configuration files regularly
- Enable comprehensive logging of all Kafka-related activities
Patch Information
Since Apache Kafka 3.9.1/4.0.0, a system property -Dorg.apache.kafka.sasl.oauthbearer.allowed.urls has been introduced to restrict allowed URLs. Upgrade to Apache Kafka 4.0.0 or later to ensure this restriction is in place.
Workarounds
Enforce network-level restrictions to prevent unauthorized URL requests and implement strict input validation controls.
# Configuration example
-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls=https://trusted.url
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
