org.springframework.kafka:spring-kafka
Maven3 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.springframework.kafka:spring-kafkapage 1 of 1
- CVE-2023-34040MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.0.102023-08-24
vulnerable: 3.0.0 ... 3.0.9 (10 versions)
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized objec…
- CVE-2026-41726MEDIUMCVSS 6.5EG 6.52026-06-10
vulnerable: 1.0.0.RELEASE ... 2.8.9 (160 versions)
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemo…
- CVE-2026-41731HIGHCVSS 8.1EG 8.12026-06-10
vulnerable: 1.0.0.RELEASE ... 2.8.9 (160 versions)
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's defa…
Check whether org.springframework.kafka:spring-kafka is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.springframework.kafka:spring-kafka CVEs against the assets you own.
Start Free Scan →