Hi Apoorva, I made a typo in my email, I was referring to CVE-2025-5115. The short answer is upgrade to Kafka >= 4.1.0 to get a version of Jetty that addresses this issue.
Kind regards, Jim > On 12 Mar 2026, at 07:17, Apoorva Maheshwari > <[email protected]> wrote: > > Hello Jim, > > Thanks for the quick response. > > But I need information about Jetty v12.0.25, in order to address Jetty > CVE-2025-5115 not CVE-2025-5151. > > > Also, if we see any compatibility concerns, with latest jetty and current > Kafka will Kafka support that? > > Regards, > Apoorva Maheshwari > > From: Jim Halfpenny <[email protected] > <mailto:[email protected]>> > Sent: 11 March 2026 15:30 > To: [email protected] <mailto:[email protected]> > Cc: Steven Schlansker <[email protected] > <mailto:[email protected]>>; [email protected] > <mailto:[email protected]>; Abhishek Kant Rattan > <[email protected] > <mailto:[email protected]>>; Sahil Sharma D > <[email protected] <mailto:[email protected]>>; Apoorva > Maheshwari <[email protected] > <mailto:[email protected]>> > Subject: Re: Version info that supports Jetty v12.0.25 > > You don't often get email from [email protected] > <mailto:[email protected]>. Learn why this is important > <https://aka.ms/LearnAboutSenderIdentification> > Hi Apoorva, > I've looked through the Kafka dependencies in Github and 4.1.0 contains Jetty > 12.0.22, which contains fixes to address CVE-2025-5151. > > https://github.com/apache/kafka/blob/4.1.0/gradle/dependencies.gradle > > Is this the information you need? If you are using Kafka 3.x I expect you > will need to upgrade to 4.x to obtain this fix, I am guessing that jumping > from Jetty 9 to 12 is too big a leap for a simple backport of this fix. > > Kind regards, > Jim > > > > On Wed, 11 Mar 2026 at 06:54, Apoorva Maheshwari via users > <[email protected] <mailto:[email protected]>> wrote: > Hello, > > Can you please share your plan for Jetty release? > > Regards, > Apoorva Maheshwari > > -----Original Message----- > From: Steven Schlansker <[email protected] > <mailto:[email protected]>> > Sent: 26 February 2026 22:00 > To: [email protected] <mailto:[email protected]> > Cc: [email protected] > <mailto:[email protected]>; Abhishek Kant Rattan > <[email protected] > <mailto:[email protected]>>; Sahil Sharma D > <[email protected] <mailto:[email protected]>>; Apoorva > Maheshwari <[email protected] > <mailto:[email protected]>> > Subject: Re: Version info that supports Jetty v12.0.25 > > [You don't often get email from [email protected] > <mailto:[email protected]>. Learn why this is important at > https://aka.ms/LearnAboutSenderIdentification ] > > > On Feb 16, 2026, at 1:14 AM, Apoorva Maheshwari via users > > <[email protected] <mailto:[email protected]>> wrote: > > > > Hello Team, > > > > Can you please confirm this pattern, that when we get any vulnerability of > > jetty and fix from Jetty is available, how soon Kafka release a new version > > with this Jetty? > > If you are urgently needing to adopt a Jetty release on your own schedule, > rather than Kafka's schedule, you can always adopt new Jetty with your > current Kafka version using Maven's <dependencyManagement> feature. This > works for most projects, not just Kafka. > > Of course then you should test that the new combination works acceptably to > your requirements, but it at least gives you an independent path forward > without needing to pressure Kafka maintainers on new releases with dependency > updates, until the normal release process delivers a fixed Kafka artifact. > > > > > Regards, > > Apoorva Maheshwari > > > > From: Apoorva Maheshwari > > Sent: 13 February 2026 11:10 > > To: '[email protected] > > <mailto:[email protected]>' > > <[email protected] > > <mailto:[email protected]>>; '[email protected] > > <mailto:[email protected]>' > > <[email protected] <mailto:[email protected]>> > > Cc: Abhishek Kant Rattan <[email protected] > > <mailto:[email protected]>>; Sahil > > Sharma D <[email protected] <mailto:[email protected]>> > > Subject: RE: Version info that supports Jetty v12.0.25 > > > > Response awaited. > > > > Regards, > > Apoorva Maheshwari > > > > From: Apoorva Maheshwari > > Sent: 11 February 2026 10:30 > > To: > > [email protected] > > <mailto:[email protected]><mailto:[email protected] > > <mailto:[email protected]> > > rg>; [email protected] > > <mailto:[email protected]><mailto:[email protected] > > <mailto:[email protected]>> > > Cc: Abhishek Kant Rattan > > <[email protected] > > <mailto:[email protected]><mailto:abhishek.kant.rattan@ericsso > > <mailto:abhishek.kant.rattan@ericsso> > > n.com <http://n.com/>>>; Sahil Sharma D > > <[email protected] > > <mailto:[email protected]><mailto:[email protected] > > <mailto:[email protected]>>> > > Subject: Version info that supports Jetty v12.0.25 > > > > Hello Team, > > > > Please confirm your plan to release a version that supports Jetty v12.0.25, > > in order to address Jetty CVE-2025-5115. > > > > Regards, > > Apoorva Maheshwari > > > > >
