Primary

Context

Kafka-UI Remote Code Execution Vulnerability via Custom Serde Loading

Vulnerability

A remote code execution vulnerability has been identified in Kafka-UI versions 0.6.0 through 0.7.2. The issue arises from improper input validation in the Custom Serde Loader component, allowing attackers to execute arbitrary code by supplying crafted data. Exploitation involves uploading a malicious JAR file to an accessible path, which the application may then load and execute.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Kafka-UI is running, with the same privileges as the Kafka-UI process.

Reproduction

To reproduce this vulnerability, navigate to the 'Configure new cluster' interface in Kafka-UI. In the Serde configuration section, submit a PUT request to the '/api/config' endpoint with a payload that includes a 'serde' element pointing to a malicious JAR file. The application will attempt to load and execute the code from the JAR, leading to remote code execution.

Added: Oct 14, 2025, 8:14 PM

Updated: Oct 14, 2025, 8:14 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

0.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kafka-UI Remote Code Execution Vulnerability via Custom Serde Loading

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating