Strimzi Kafka Operator Vulnerability: CVE-2025-66623 Exposes Kubernetes Secrets

Overview

A high-severity vulnerability, identified as CVE-2025-66623, has been discovered in Strimzi, a Kubernetes Operator for running Apache Kafka. This vulnerability affects Strimzi versions 0.47.0 and prior to 0.49.1. It could allow Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands to gain unauthorized read access to all Kubernetes Secrets within the namespace where they are deployed.

Technical Details

The vulnerability stems from an incorrectly configured Kubernetes Role created by Strimzi during the deployment of Kafka Connect and Kafka MirrorMaker 2 clusters. Specifically, the Role inadvertently grants the get verb to all Kubernetes Secrets within the target namespace. This means that the Kafka Connect and MirrorMaker 2 pods, running under the compromised Role, could potentially access sensitive information stored in Secrets, such as database passwords, API keys, and other confidential data.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 7.4, indicating a HIGH severity. The CVSS vector takes into account factors such as the scope of the vulnerability (namespace-wide), the ease of exploitation, and the potential impact on confidentiality.

Possible Impact

The exploitation of CVE-2025-66623 could have significant security implications. An attacker who gains access to Kubernetes Secrets could:

• Compromise sensitive data stored in databases or other applications.
• Gain unauthorized access to external APIs and services.
• Escalate privileges within the Kubernetes cluster.
• Disrupt critical business operations.

Mitigation and Patch Steps

The recommended mitigation is to upgrade to Strimzi version 0.49.1 or later. This release contains a fix for the incorrect Kubernetes Role configuration, removing the unintended access to Secrets.

To upgrade Strimzi, follow the official Strimzi upgrade documentation. Generally, this involves updating the Strimzi Cluster Operator deployment and subsequently rolling out the changes to your Kafka clusters managed by Strimzi.

If upgrading is not immediately feasible, consider implementing network policies to restrict access to Secrets from the Kafka Connect and MirrorMaker 2 pods as a temporary workaround. However, upgrading to the patched version is the most reliable and recommended solution.

References

• CVE ID: CVE-2025-66623
• Strimzi Commit: github.com/strimzi/strimzi-kafka-operator/commit/c8a14935e99c91eb0dd865431f46515da9f82ccc
• Strimzi Security Advisory: github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-xrhh-hx36-485q
• Strimzi Documentation: strimzi.io/docs/operators/latest/