Skip to main content

Spring For Apache Kafka

3 CVEs product

Monthly

CVE-2026-41731 Maven HIGH PATCH GHSA This Week

Unsafe deserialization in Spring for Apache Kafka (versions 2.8.0-4.0.5 across multiple branches) allows a malicious Kafka producer to send crafted message headers that cause downstream consumers to instantiate arbitrary JDK types via Jackson. The flaw stems from a prefix-based trusted-packages check in JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper, which silently extends trust to every subpackage. No public exploit identified at time of analysis, but the bug class (CWE-502 with Jackson default typing) has a long history of leading to remote code execution in Spring/Java ecosystems.

Deserialization Apache Java Spring For Apache Kafka
NVD HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41727 MEDIUM PATCH This Month

Improper input validation in Spring for Apache Kafka's non-blocking retry topic infrastructure allows an authenticated network producer to disrupt message processing availability across multiple major version lines. By injecting a crafted `retry_topic-attempts` header with an out-of-range integer value, an attacker causes the retry topic router to misidentify the message's position in the retry sequence, producing high availability impact (A:H per CVSS). Affected deployments span Spring for Apache Kafka 2.8.x through 4.0.x. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Information Disclosure Apache Java Spring For Apache Kafka
NVD HeroDevs VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-34040 Maven HIGH PATCH This Week

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Apache Deserialization Spring For Apache Kafka
NVD
CVSS 3.1
7.8
EPSS
2.2%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unsafe deserialization in Spring for Apache Kafka (versions 2.8.0-4.0.5 across multiple branches) allows a malicious Kafka producer to send crafted message headers that cause downstream consumers to instantiate arbitrary JDK types via Jackson. The flaw stems from a prefix-based trusted-packages check in JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper, which silently extends trust to every subpackage. No public exploit identified at time of analysis, but the bug class (CWE-502 with Jackson default typing) has a long history of leading to remote code execution in Spring/Java ecosystems.

Deserialization Apache Java +1
NVD HeroDevs VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper input validation in Spring for Apache Kafka's non-blocking retry topic infrastructure allows an authenticated network producer to disrupt message processing availability across multiple major version lines. By injecting a crafted `retry_topic-attempts` header with an out-of-range integer value, an attacker causes the retry topic router to misidentify the message's position in the retry sequence, producing high availability impact (A:H per CVSS). Affected deployments span Spring for Apache Kafka 2.8.x through 4.0.x. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Information Disclosure Apache Java +1
NVD HeroDevs VulDB
EPSS 2% CVSS 7.8
HIGH PATCH This Week

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Apache Deserialization +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy