Description

Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2.

INFO

Published Date :

2025-10-03T21:12:24.471Z

Last Modified :

2025-10-06T13:19:08.624Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-61673 vulnerability.

Vendors Products
Aiven
  • Aiven
  • Karapace
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-61673.

URL Resource
https://github.com/Aiven-Open/karapace/pull/1143/commits/c4038e9ce9fa504b433d59ac2944e337292922c7 cve-icon cve-icon
https://github.com/Aiven-Open/karapace/releases/tag/5.0.2 cve-icon cve-icon
https://github.com/Aiven-Open/karapace/security/advisories/GHSA-vq25-vcrw-gj53 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact