CVE-2023-34040

MEDIUM

Spring for Apache Kafka <3.0.9 & <2.9.10 - Deserialization

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2023-34040. PoCs published by Contrast-Security-OSS, pyn3rd, JAckLosingHeart.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2023-34040, demonstrating both Denial of Service (DoS) and Remote Code Execution (RCE) via Spring Kafka deserialization vulnerabilities. The exploit leverages a modified DeserializationException class to bypass Spring-Kafka's deserialization protections.

Description

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. Specifically, an application is vulnerable when all of the following are true: * The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record * The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true. * The user allows untrusted sources to publish to a Kafka topic By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.

Exploits (5)

nomisec WORKING POC 46 stars

by Contrast-Security-OSS · poc

https://github.com/Contrast-Security-OSS/Spring-Kafka-POC-CVE-2023-34040

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-34040, demonstrating both Denial of Service (DoS) and Remote Code Execution (RCE) via Spring Kafka deserialization vulnerabilities. The exploit leverages a modified DeserializationException class to bypass Spring-Kafka's deserialization protections.

Classification

Working Poc 95%

Attack Type

Rce | Dos | Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Spring Kafka (versions affected by CVE-2023-34040)

No auth needed

Prerequisites: Java 11 · Maven · Docker (or Kafka) · Consumer with CheckDeserExWhenValueNull or CheckDeserExWhenKeyNull enabled

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 32 stars

by pyn3rd · poc

https://github.com/pyn3rd/CVE-2023-34040

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-34040, a Spring Kafka deserialization vulnerability. It includes a malicious serialization payload designed to trigger remote code execution via deserialization exceptions.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Spring Kafka (versions affected by CVE-2023-34040)

No auth needed

Prerequisites: Access to a vulnerable Spring Kafka endpoint · Ability to send crafted serialization data

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/spring-CVE-2023-34040

View Code ZIP pw:eip

This repository contains functional exploit code for multiple CVEs, including deserialization and RCE vulnerabilities in Java-based software. The PoCs are well-structured and include examples for vulnerabilities like Log4j, Fastjson, and Dubbo.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Various Java libraries (e.g., Log4j, Fastjson, Dubbo)

No auth needed

Prerequisites: Vulnerable version of the target software · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by huyennhat-dev · poc

https://github.com/huyennhat-dev/cve-2023-34040

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-34040, demonstrating a Spring Kafka deserialization vulnerability that leads to remote code execution. The exploit includes a malicious payload that triggers arbitrary command execution via a crafted Kafka message.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Spring Kafka (versions affected by CVE-2023-34040)

No auth needed

Prerequisites: Access to a vulnerable Spring Kafka endpoint · Ability to send crafted Kafka messages

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by buiduchoang24 · poc

https://github.com/buiduchoang24/CVE-2023-34040

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-34040, demonstrating a deserialization vulnerability in Spring Kafka. The exploit leverages a malicious `ProcBuilder` class to execute arbitrary commands during deserialization.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Spring Kafka (versions affected by CVE-2023-34040)

No auth needed

Prerequisites: Access to a Kafka topic consumed by a vulnerable Spring Kafka application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Mitigation, Vendor Advisory

https://spring.io/security/cve-2023-34040

Scores

CVSS v3 5.3

EPSS 0.2141

EPSS Percentile 95.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-502

Status published

Products (2)

org.springframework.kafka/spring-kafka 2.8.1 - 2.9.11Maven

vmware/spring_for_apache_kafka 2.8.1 - 2.9.10

Published Aug 24, 2023

Tracked Since Feb 18, 2026