Hi Apoorva, I've looked through the Kafka dependencies in Github and 4.1.0 contains Jetty 12.0.22, which contains fixes to address CVE-2025-5151.
https://github.com/apache/kafka/blob/4.1.0/gradle/dependencies.gradle Is this the information you need? If you are using Kafka 3.x I expect you will need to upgrade to 4.x to obtain this fix, I am guessing that jumping from Jetty 9 to 12 is too big a leap for a simple backport of this fix. Kind regards, Jim On Wed, 11 Mar 2026 at 06:54, Apoorva Maheshwari via users < [email protected]> wrote: > Hello, > > Can you please share your plan for Jetty release? > > Regards, > Apoorva Maheshwari > > -----Original Message----- > From: Steven Schlansker <[email protected]> > Sent: 26 February 2026 22:00 > To: [email protected] > Cc: [email protected]; Abhishek Kant Rattan < > [email protected]>; Sahil Sharma D < > [email protected]>; Apoorva Maheshwari < > [email protected]> > Subject: Re: Version info that supports Jetty v12.0.25 > > [You don't often get email from [email protected]. Learn why > this is important at https://aka.ms/LearnAboutSenderIdentification ] > > > On Feb 16, 2026, at 1:14 AM, Apoorva Maheshwari via users < > [email protected]> wrote: > > > > Hello Team, > > > > Can you please confirm this pattern, that when we get any vulnerability > of jetty and fix from Jetty is available, how soon Kafka release a new > version with this Jetty? > > If you are urgently needing to adopt a Jetty release on your own schedule, > rather than Kafka's schedule, you can always adopt new Jetty with your > current Kafka version using Maven's <dependencyManagement> feature. This > works for most projects, not just Kafka. > > Of course then you should test that the new combination works acceptably > to your requirements, but it at least gives you an independent path forward > without needing to pressure Kafka maintainers on new releases with > dependency updates, until the normal release process delivers a fixed Kafka > artifact. > > > > > Regards, > > Apoorva Maheshwari > > > > From: Apoorva Maheshwari > > Sent: 13 February 2026 11:10 > > To: '[email protected]' > > <[email protected]>; '[email protected]' > > <[email protected]> > > Cc: Abhishek Kant Rattan <[email protected]>; Sahil > > Sharma D <[email protected]> > > Subject: RE: Version info that supports Jetty v12.0.25 > > > > Response awaited. > > > > Regards, > > Apoorva Maheshwari > > > > From: Apoorva Maheshwari > > Sent: 11 February 2026 10:30 > > To: > > [email protected]<mailto:[email protected] > > rg>; [email protected]<mailto:[email protected]> > > Cc: Abhishek Kant Rattan > > <[email protected]<mailto:abhishek.kant.rattan@ericsso > > n.com>>; Sahil Sharma D > > <[email protected]<mailto:[email protected]>> > > Subject: Version info that supports Jetty v12.0.25 > > > > Hello Team, > > > > Please confirm your plan to release a version that supports Jetty > v12.0.25, in order to address Jetty CVE-2025-5115. > > > > Regards, > > Apoorva Maheshwari > > > > > >
