InfoconDB

Client or Server? The Hidden Sword of Damocles in Kafka

Presented at DEF CON 33 (2025), Aug. 9, 2025, noon (45 minutes).

Apache Kafka is an open-source distributed event streaming platform. At the heart of Kafka lies the Broker, which acts as the central server node in a Kafka cluster. Brokers are responsible for storing streams of data and managing the flow of messages between producers and consumers. The Kafka Server we often refer to is essentially the Kafka Broker. While Kafka’s main system handles data streams well, its real strength comes from its growing ecosystem. The components in the ecosystem greatly expands its abilities: Confluent ksqlDB transforms raw streams into queryable tables for real-time analytics; Schema Registry standardizes data formats across microservices, and so on. However, behind the rich components lie hidden security threats. Prior research has revealed Remote Code Execution (RCE) vulnerabilities in Kafka Client, yet notably absent were any exploitable RCE vulnerabilities in the Kafka Server — until now. In this work, we present the first-ever RCE vulnerability affecting Kafka Server itself. At the same time, we also used similar techniques to attack other components in the Kafka ecosystem. And these vulnerabilities can also affect the cloud service providers themselves. What's more, Since Kafka users remain unaware of this risk, thousands of Kafka servers are now exposed to this RCE vulnerability.

Presenters:

  • Ji'an "azraelxuemo" Zhou
    Ji'an Zhou is a Security Engineer in Alibaba Cloud. He is focusing on Java security and cloud native security and his work helped many high-profile vendors improve their products' security, including Google, Amazon, Cloudera, IBM, Microsoft, Oracle. He has previously spoken at Black Hat , Zer0Con, Off-by-One Con.
  • Ying Zhu
    Ying Zhu is a Security Engineer in Alibaba Cloud. He is interested in Web application security, especially Java application security. He has reported many critical vulnerabilities to Amazon, Apache, Cloudera, Microsoft, etc.
  • ZiYang "lz2y" Li
    Ziyang Li is a Security Engineer in Alibaba Cloud. He is focused on Java security and security products. He has reported many critical vulnerabilities to Amazon, Apache, Cloudera, Microsoft, etc.

Similar Presentations: