CVE-2025-27819 Overview
CVE-2025-27819 is an Insecure Deserialization vulnerability affecting Apache Kafka brokers that enables Remote Code Execution (RCE) or Denial of Service (DoS) attacks through SASL JAAS JndiLoginModule configuration. This vulnerability is related to the previously disclosed CVE-2023-25194, which affected Kafka Connect API. However, CVE-2025-27819 reveals that Apache Kafka brokers themselves are also vulnerable to this attack vector. Exploitation requires the attacker to connect to the Kafka cluster and possess AlterConfigs permission on the cluster resource.
Critical Impact
Attackers with cluster access and AlterConfigs permission can achieve remote code execution or cause denial of service on Apache Kafka brokers through malicious SASL JAAS configuration.
Affected Products
- Apache Kafka (versions prior to 3.4.0 without mitigation)
- Apache Kafka (versions 3.4.0 to 3.9.0 with partial mitigation)
- Apache Kafka (versions prior to 3.9.1/4.0.0 with incomplete default protections)
Discovery Timeline
- 2025-06-10 - CVE CVE-2025-27819 published to NVD
- 2025-07-11 - Last updated in NVD database
Technical Details for CVE-2025-27819
Vulnerability Analysis
This vulnerability stems from the improper handling of SASL JAAS (Java Authentication and Authorization Service) configuration in Apache Kafka brokers. The JndiLoginModule and LdapLoginModule classes can be abused to perform JNDI (Java Naming and Directory Interface) injection attacks, a well-known exploitation technique in Java applications.
When an attacker with sufficient permissions (AlterConfigs on the cluster resource) modifies the SASL JAAS configuration, they can inject a malicious JNDI URL that points to an attacker-controlled server. Upon processing this configuration, the Kafka broker attempts to resolve the JNDI lookup, which can result in loading and executing arbitrary code from a remote location or exhausting system resources, leading to denial of service.
The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), as the core issue involves the unsafe deserialization of objects through JNDI lookups. This attack pattern has been observed in numerous Java vulnerabilities, including the infamous Log4Shell (CVE-2021-44228).
Root Cause
The root cause of this vulnerability lies in the default availability of dangerous login modules (com.sun.security.auth.module.JndiLoginModule and com.sun.security.auth.module.LdapLoginModule) within the SASL JAAS configuration mechanism. These modules support JNDI lookups that can be weaponized to load malicious objects from remote servers. Prior to Apache Kafka 3.4.0, there was no mechanism to disable these problematic login modules, leaving Kafka brokers exposed to JNDI injection attacks when an authenticated user with configuration privileges submits a malicious configuration.
Attack Vector
The attack requires network access to the Kafka cluster and authenticated access with AlterConfigs permission. An attacker exploits this vulnerability by submitting a specially crafted SASL JAAS configuration that references a malicious JNDI endpoint. When the broker processes this configuration, it performs a JNDI lookup to the attacker-controlled server, which can respond with a serialized Java object containing malicious code. Upon deserialization, this code executes within the context of the Kafka broker process, potentially allowing full system compromise or service disruption.
The attack flow involves: (1) authenticating to the Kafka cluster with appropriate permissions, (2) crafting a malicious SASL JAAS configuration with JndiLoginModule referencing an attacker-controlled LDAP/RMI server, (3) using the AlterConfigs API to apply this configuration, and (4) the Kafka broker processing the configuration and executing the JNDI lookup, leading to RCE or DoS.
Detection Methods for CVE-2025-27819
Indicators of Compromise
- Unexpected outbound LDAP or RMI connections from Kafka broker hosts to external IP addresses
- Configuration changes to SASL JAAS settings containing JndiLoginModule or LdapLoginModule references
- Unusual AlterConfigs API calls targeting authentication-related cluster configurations
- Anomalous process spawning or file system modifications on Kafka broker systems
Detection Strategies
- Monitor Kafka audit logs for AlterConfigs operations that modify SASL or JAAS-related settings
- Implement network monitoring to detect outbound JNDI-related traffic (LDAP on port 389/636, RMI on port 1099)
- Deploy application-level firewalls or security controls to inspect Kafka Admin API requests for suspicious configuration patterns
- Use SentinelOne Singularity platform to detect and block JNDI injection attempts and anomalous Java process behavior
Monitoring Recommendations
- Enable comprehensive Kafka audit logging and forward logs to a SIEM for analysis
- Establish baselines for legitimate configuration change patterns and alert on deviations
- Monitor Java process behavior on Kafka broker hosts for indicators of code execution post-exploitation
- Implement real-time alerting for any modifications to SASL JAAS configuration parameters
How to Mitigate CVE-2025-27819
Immediate Actions Required
- Upgrade Apache Kafka to version 3.9.1 or 4.0.0 where both JndiLoginModule and LdapLoginModule are disabled by default
- For Kafka versions 3.4.0 through 3.9.0, verify that the -Dorg.apache.kafka.disallowed.login.modules system property is properly configured
- Review and restrict AlterConfigs permissions to only trusted administrators
- Audit existing SASL JAAS configurations for any suspicious or unauthorized login module references
Patch Information
Apache Kafka has addressed this vulnerability through progressive security improvements. In Apache Kafka 3.4.0, a system property (-Dorg.apache.kafka.disallowed.login.modules) was introduced to disable problematic login modules, with com.sun.security.auth.module.JndiLoginModule disabled by default. In Apache Kafka 3.9.1 and 4.0.0, both com.sun.security.auth.module.JndiLoginModule and com.sun.security.auth.module.LdapLoginModule are disabled by default. Organizations should upgrade to the latest patched version and consult the Apache Kafka CVE List for detailed guidance.
Workarounds
- For versions prior to 3.4.0, implement network-level controls to prevent outbound JNDI connections from Kafka brokers
- Strictly limit AlterConfigs ACL permissions to a minimal set of trusted principals
- Deploy a Java Security Manager policy to restrict JNDI lookups (note: Security Manager is deprecated in newer Java versions)
- Implement application-layer filtering to block configuration changes containing dangerous login module references
# Configuration example: Disable problematic login modules in Kafka broker startup
# Add this to your Kafka broker JVM options (kafka-server-start.sh or systemd unit file)
export KAFKA_OPTS="-Dorg.apache.kafka.disallowed.login.modules=com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
