CVE-2025-60536
📋 TL;DR
This vulnerability in kafka-ui versions 0.6.0 through 0.7.2 allows attackers to cause a Denial of Service (DoS) by uploading a specially crafted configuration file through the Configure New Cluster interface. This affects all deployments using vulnerable versions of kafka-ui with the cluster configuration feature enabled.
💻 Affected Systems
- kafka-ui
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability of kafka-ui, potentially disrupting Kafka cluster management and monitoring capabilities.
Likely Case
Temporary service disruption requiring manual intervention to restart kafka-ui or clear the malicious configuration.
If Mitigated
Minimal impact with proper input validation and access controls preventing unauthorized configuration uploads.
🎯 Exploit Status
Exploitation requires authentication to access the configuration interface. The vulnerability is in the SchemaRegistrySerde component that processes uploaded configuration files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.7.3 or later
Vendor Advisory: https://github.com/provectus/kafka-ui
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop kafka-ui service. 3. Update to version 0.7.3 or later. 4. Restart kafka-ui service. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict Configuration Interface Access
allLimit access to the Configure New Cluster interface using network controls or authentication mechanisms.
Configure firewall rules to restrict access to kafka-ui configuration endpoints
Implement strict authentication and authorization for configuration operations
Disable Unnecessary Features
allTemporarily disable the Configure New Cluster interface if not required.
Modify kafka-ui configuration to disable cluster configuration features
Set appropriate environment variables or configuration properties
🧯 If You Can't Patch
- Implement strict input validation for configuration file uploads
- Monitor and alert on unusual configuration upload activities
🔍 How to Verify
Check if Vulnerable:
Check kafka-ui version: if between 0.6.0 and 0.7.2 inclusive, system is vulnerable.Check Version:
Check kafka-ui application logs or configuration files for version information, or use: curl -s http://kafka-ui-host:port/actuator/info | grep versionVerify Fix Applied:
Verify kafka-ui version is 0.7.3 or later and test configuration upload functionality.📡 Detection & Monitoring
Log Indicators:
- Error logs related to SchemaRegistrySerde processing
- Unusual configuration upload patterns
- Service restart events following configuration changes
Network Indicators:
- Unusual POST requests to configuration endpoints
- Large or malformed configuration file uploads
SIEM Query:
source="kafka-ui" AND ("SchemaRegistrySerde" OR "configuration upload" OR "cluster config") AND severity=ERROR