products / apache_kafka

Apache Kafka

Apache Kafka is a distributed event streaming platform designed for high-throughput, fault-tolerant data pipelines. It is maintained by the Apache Software Foundation, which acts as a CNA, producing well-enriched NVD records with explicit version ranges. CVE history includes SASL/JAAS configuration injection, authorization bypass issues, and Connect worker vulnerabilities.

api usage

Querying Apache Kafka

product slugapache_kafka

version format3.7.0, 3.5.1, 3.3.2

bash

curl "https://api.attestd.io/v1/check?product=apache_kafka&version=3.3.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

Kafka 3.3.0 is affected by CVE-2023-25194 (SASL JAAS JNDI injection in Connect workflows). Expect risk_state: "high".

json

{
  "product": "apache_kafka",
  "version": "3.3.0",
  "supported": true,
  "risk_state": "high",
  "risk_factors": [
    "remote_code_execution",
    "authentication_required",
    "internet_exposed_service",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": true,
  "patch_available": true,
  "fixed_version": "3.4.0",
  "confidence": 0.83,
  "cve_ids": ["CVE-2023-25194"],
  "last_updated": "2026-02-23T18:21:30Z"
}

safe version

Kafka 3.7.0 has no known relevant vulnerabilities at the time of the last synthesis run.

bash

curl "https://api.attestd.io/v1/check?product=apache_kafka&version=3.7.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

notable cves

CVE history

Kafka's CVE history reflects its use of Java ecosystem components. JNDI injection via SASL/JAAS configuration is the highest-severity recent pattern (CVE-2023-25194). Older vulnerabilities involve authorization evaluation ordering and SSL/TLS protocol interaction bugs.

CVE	Description	Affects	CVSS
`CVE-2023-25194`	JNDI injection via SASL JAAS configuration in Connect workers; allows remote code execution by authenticated users who can modify connector configurations.	< 2.8.11, 3.x < 3.3.3	8.8
`CVE-2022-34917`	Heap buffer overflow via crafted consumer group metadata message allowing denial of service.	< 3.2.3	7.5
`CVE-2020-17515`	Server-side request forgery via the offsets topic replication process.	< 2.6.0	5.3
`CVE-2018-17196`	Authorization flaw where message interception occurs before ACL evaluation in certain producer configurations.	< 2.0.1	6.3
`CVE-2017-12610`	Authentication bypass when SSL client certificate authentication is combined with KIP-31 and KIP-42 protocol configurations.	< 0.11.0.3, 1.0.x	8.1

All products Apache ActiveMQ Apache Pulsar Response Field Reference