GHSA-m744-jhq9-ppw6MediumCVSS 6.5
CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service.
🔗 CVE IDs covered (1)
📋 Description
Impact
A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.
Preconditions
The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
Only allow authenticated writes to a topic
🎯 Affected products2
- nuget/CoreWCF.Kafka:< 1.8.1
- nuget/CoreWCF.Kafka:>= 1.9.0, < 1.9.1