CVE-2025-49127 HIGH

CVE-2025-49127: Kafbat UI vulnerable to Remote Code Execution by JMX in Metrices Configuration

Vendor Kafbat
Product kafka-ui
Weakness CWE-502 · Unsafe deserialization
Published June 6, 2025
Last update June 9, 2025

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue.

Key dates

02Disclosure timeline

June 6, 2025 CVE published
June 9, 2025 Record updated