CVE-2025-49127

Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue.

CVSS

No CVSS.

References

Link	Resource
https://github.com/kafbat/kafka-ui/releases/tag/v1.1.0
https://github.com/kafbat/kafka-ui/security/advisories/GHSA-g3mf-c374-fgh2
https://github.com/kafbat/kafka-ui/security/advisories/GHSA-g3mf-c374-fgh2

Configurations

No configuration.

History

09 Jun 2025, 16:15

Type	Values Removed	Values Added
References	~~() https://github.com/kafbat/kafka-ui/security/advisories/GHSA-g3mf-c374-fgh2 -~~	() https://github.com/kafbat/kafka-ui/security/advisories/GHSA-g3mf-c374-fgh2 -

09 Jun 2025, 12:15

Type	Values Removed	Values Added
Summary		(es) Kafbat UI es una interfaz de usuario web para administrar clústeres de Apache Kafka. Una vulnerabilidad de deserialización insegura en la versión 1.0.0 permite que cualquier usuario no autenticado ejecute código arbitrario en el servidor. La versión 1.1.0 corrige el problema.

06 Jun 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-06 21:15

Updated : 2025-06-09 16:15

NVD link : CVE-2025-49127

Mitre link : CVE-2025-49127

CVE.ORG link : CVE-2025-49127

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-49127", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-06T21:15:23.137", "references": [{"url": "https://github.com/kafbat/kafka-ui/releases/tag/v1.1.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/kafbat/kafka-ui/security/advisories/GHSA-g3mf-c374-fgh2", "source": "security-advisories@github.com"}, {"url": "https://github.com/kafbat/kafka-ui/security/advisories/GHSA-g3mf-c374-fgh2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue."}, {"lang": "es", "value": "Kafbat UI es una interfaz de usuario web para administrar cl\u00fasteres de Apache Kafka. Una vulnerabilidad de deserializaci\u00f3n insegura en la versi\u00f3n 1.0.0 permite que cualquier usuario no autenticado ejecute c\u00f3digo arbitrario en el servidor. La versi\u00f3n 1.1.0 corrige el problema."}], "lastModified": "2025-06-09T16:15:44.833", "sourceIdentifier": "security-advisories@github.com"}