AIKIDO-2026-11171

spring-kafka is vulnerable to Deserialization of Untrusted Data

Deserialization of Untrusted DataCVE-2026-41731 Published Today

High Risk

This Affects:

spring-kafka

0.0.1 - 2.8.11

Fixed in 2.8.12

2.9.0 - 2.9.13

Fixed in 2.9.14

3.0.0 - 3.2.13

Fixed in 3.2.14

3.3.0 - 3.3.15

Fixed in 3.3.15.1

4.0.0 - 4.0.5

Fixed in 4.0.5.1

Are you affected? Scan for Free

TL;DR

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types, including classes whose constructors carry side effects such as allocating file descriptors or spawning thread pools.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

spring-kafka is vulnerable to Deserialization of Untrusted Data in versions 0.0.1 - 2.8.11, 2.9.0 - 2.9.13, 3.0.0 - 3.2.13, 3.3.0 - 3.3.15 and 4.0.0 - 4.0.5.