LOWRemediated

CVE-2025-6120

Unauthenticated metadata exposure in JMX metrics endpoint

Technology

Apache Kafka

CVSS Score

3.7 / 10.0

Affected Versions

2.8.0 – 3.3.2

Patched In

OSSeva for Apache Kafka 3.3.3-osseva-1

Published

August 18, 2025

Remediated

September 2, 2025 (7mo ago)

Description

The JMX metrics endpoint in Kafka broker exposes consumer group lag metrics without authentication when the JMX port is externally accessible, potentially revealing information about internal topic structures.

Is your Apache Kafka deployment affected?

If you're running 2.8.0 – 3.3.2, you need this patch. Book a discovery call to get covered.

Book a discovery call View Apache Kafka coverage →