### Critical Vulnerability Information #### Vulnerability Description - **Type**: Unsafe deserialization via malicious Serde configuration (leading to RCE/DoS) - **Location**: Dashboard → "Configure New Cluster" interface. #### Reproduction Steps 1. In the "Configure New Cluster" interface, navigate to the Serde configuration section. 2. Configure a new cluster and submit a PUT request to `/api/config`, including a malicious serde element in the clusters array JSON payload. Example payload snippet: ```json "serde": [ { "name": "malicious-serde", "className": "com.attacker.malicious.ExploitClass", "filePath": "/tmp/exploit.jar" } ] ``` 3. `filePath` points to a JAR file controlled by the attacker, containing a malicious class. 4. Upon submission, the application attempts to load the JAR file from the specified path, deserialize it, and instantiate the provided `className`. #### Impact - **Remote Code Execution (RCE)**: If the malicious class’s static initializer, constructor, or any automatically invoked method (such as a `configure` method) contains executable code, it will run within the application’s context, resulting in full remote code execution with the privileges of the Kafka-UI process. #### Environment - **Kafka-UI Version**: v0.7.2 - **Deployment Method**: Docker container #### Screenshots - Shows the implementation of a malicious class `MaliciousClass` that executes the command `mkdir /tmp/pwned.txt` in its static initialization block. - Displays the `/tmp` directory with the created `pwned.txt` file, confirming successful RCE.