Refine your search
4 vulnerabilities found for Spring For Apache Kafka by Spring
CVE-2026-41731 (GCVE-0-2026-41731)
Vulnerability from cvelistv5
Published
2026-06-09 23:49
Modified
2026-06-09 23:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.
Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring for Apache Kafka |
Version: 4.0.0 < 4.0.6 Version: 3.3.0 < 3.3.16 Version: 3.2.0 < 3.2.14 Version: 2.9.0 < 2.9.14 Version: 2.8.0 < 2.8.12 |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring for Apache Kafka",
"vendor": "Spring",
"versions": [
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.3.16",
"status": "affected",
"version": "3.3.0",
"versionType": "custom"
},
{
"lessThan": "3.2.14",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "2.9.14",
"status": "affected",
"version": "2.9.0",
"versionType": "custom"
},
{
"lessThan": "2.8.12",
"status": "affected",
"version": "2.8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson\u0027s default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."
}
],
"value": "JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson\u0027s default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A producer can supply crafted Kafka header values that cause the consumer to deserialize arbitrary JDK types via overly broad trusted-package prefix matching in JsonKafkaHeaderMapper."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T23:49:26.535Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41731"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41731",
"datePublished": "2026-06-09T23:49:26.535Z",
"dateReserved": "2026-04-22T06:21:39.015Z",
"dateUpdated": "2026-06-09T23:49:26.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41727 (GCVE-0-2026-41727)
Vulnerability from cvelistv5
Published
2026-06-09 23:49
Modified
2026-06-09 23:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.
Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring for Apache Kafka |
Version: 4.0.0 < 4.0.6 Version: 3.3.0 < 3.3.16 Version: 3.2.0 < 3.2.14 Version: 2.9.0 < 2.9.14 Version: 2.8.0 < 2.8.12 |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring for Apache Kafka",
"vendor": "Spring",
"versions": [
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.3.16",
"status": "affected",
"version": "3.3.0",
"versionType": "custom"
},
{
"lessThan": "3.2.14",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "2.9.14",
"status": "affected",
"version": "2.9.0",
"versionType": "custom"
},
{
"lessThan": "2.8.12",
"status": "affected",
"version": "2.8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spring Kafka\u0027s retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."
}
],
"value": "Spring Kafka\u0027s retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A producer can send Kafka records with forged retry_topic-attempts or retry_topic_backoff-timestamp headers to cause misrouting or impose arbitrarily long pauses, disrupting retry behavior."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T23:49:10.215Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41727"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "In Spring for Apache Kafka, forged retry topic headers subvert retry routing and backoff behavior",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41727",
"datePublished": "2026-06-09T23:49:10.215Z",
"dateReserved": "2026-04-22T06:21:39.014Z",
"dateUpdated": "2026-06-09T23:49:10.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41726 (GCVE-0-2026-41726)
Vulnerability from cvelistv5
Published
2026-06-09 23:48
Modified
2026-06-09 23:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.
Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring for Apache Kafka |
Version: 4.0.0 < 4.0.6 Version: 3.3.0 < 3.3.16 Version: 3.2.0 < 3.2.14 Version: 2.9.0 < 2.9.14 Version: 2.8.0 < 2.8.12 |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring for Apache Kafka",
"vendor": "Spring",
"versions": [
{
"lessThan": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.3.16",
"status": "affected",
"version": "3.3.0",
"versionType": "custom"
},
{
"lessThan": "3.2.14",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "2.9.14",
"status": "affected",
"version": "2.9.0",
"versionType": "custom"
},
{
"lessThan": "2.8.12",
"status": "affected",
"version": "2.8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When an application opts into DelegatingDeserializer, a producer can grow the consumer\u0027s heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."
}
],
"value": "When an application opts into DelegatingDeserializer, a producer can grow the consumer\u0027s heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A producer can exhaust a consumer\u0027s heap without bound by sending Kafka records with unique random spring.kafka.serialization.selector header values when DelegatingDeserializer is configured."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T23:48:51.048Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41726"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41726",
"datePublished": "2026-06-09T23:48:51.048Z",
"dateReserved": "2026-04-22T06:21:39.014Z",
"dateUpdated": "2026-06-09T23:48:51.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-34040 (GCVE-0-2023-34040)
Vulnerability from cvelistv5
Published
2023-08-24 12:59
Modified
2024-10-01 16:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.
Specifically, an application is vulnerable when all of the following are true:
* The user does notĀ configure an ErrorHandlingDeserializer for the key and/or value of the record
* The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.
* The user allows untrusted sources to publish to a Kafka topic
By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring For Apache Kafka |
Version: 2.8.x Version: 2.9.x Version: 3.0.x |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://spring.io/security/cve-2023-34040"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T15:01:28.194900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T16:13:52.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring For Apache Kafka",
"vendor": "Spring",
"versions": [
{
"lessThan": "2.9.11",
"status": "affected",
"version": "2.8.x",
"versionType": "2.9.11"
},
{
"lessThan": "2.9.11",
"status": "affected",
"version": "2.9.x",
"versionType": "2.9.11"
},
{
"lessThan": "3.0.10",
"status": "affected",
"version": "3.0.x",
"versionType": "3.0.10"
}
]
}
],
"datePublic": "2023-08-23T14:59:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.\u003cbr\u003e\u003cbr\u003eSpecifically, an application is vulnerable when all of the following are true:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe user does \u003cb\u003enot\u003c/b\u003e\u0026nbsp;configure an ErrorHandlingDeserializer for the key and/or value of the record\u003c/li\u003e\u003cli\u003eThe user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.\u003c/li\u003e\u003cli\u003eThe user allows untrusted sources to publish to a Kafka topic\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eBy default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.\n\nSpecifically, an application is vulnerable when all of the following are true:\n\n * The user does not\u00a0configure an ErrorHandlingDeserializer for the key and/or value of the record\n * The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.\n * The user allows untrusted sources to publish to a Kafka topic\n\n\nBy default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-24T12:59:20.620Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2023-34040"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Java Deserialization vulnerability in Spring-Kafka When Improperly Configured",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-34040",
"datePublished": "2023-08-24T12:59:20.620Z",
"dateReserved": "2023-05-25T17:21:56.201Z",
"dateUpdated": "2024-10-01T16:13:52.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}