3 ways to get Remote Code Execution in Kafka UI

A security researcher discovered three critical remote code execution (RCE) vulnerabilities in Kafka UI, a popular open source web application that manages and monitors Apache Kafka clusters. The vulnerabilities were uncovered through an analysis of the message filtering function, which revealed potential for arbitrary code execution. The researcher demonstrated the exploit via a simple GET HTTP request, even on Kafka instances protected by authentication, and notified the maintainers. These vulnerabilities were patched in Kafka UI version 0.7.2. The researcher advises users of Kafka UI to recapitulate their configuration choices and update to the latest version for protection against these vulnerabilities.