In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
High severity
GitHub Reviewed
Published
Jun 10, 2026
to the GitHub Advisory Database
•
Updated Jun 12, 2026
Package
Affected versions
>= 4.0.0, <= 4.0.5
>= 3.3.0, <= 3.3.15
>= 3.2.0, <= 3.2.13
>= 2.9.0, <= 2.9.13
<= 2.8.11
Patched versions
4.0.6
3.3.16
Description
Published by the National Vulnerability Database
Jun 10, 2026
Published to the GitHub Advisory Database
Jun 10, 2026
Last updated
Jun 12, 2026
Reviewed
Jun 12, 2026
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.
Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
References