Version 12.0.25 will be included in the following Kafka releases: 4.3.0, 4.2.1, 4.0.2, 4.1.2, 3.9.3
see https://issues.apache.org/jira/browse/KAFKA-20168 On 2026/03/16 03:08:35 Apoorva Maheshwari via users wrote: > Hello, > > CVE-2025-5115 is fixed in Jetty 12.0.25. > Although, latest released Kafka 4.2.0 still have dependency on Jetty 12.0.22. > Kindly let us know in which kakfa version, you are planning to take Jetty > 12.0.25 or later. > > Regards, > Apoorva Maheshwari > > From: Jim Halfpenny <[email protected]> > Sent: 12 March 2026 13:05 > To: Apoorva Maheshwari <[email protected]> > Cc: [email protected]; Steven Schlansker <[email protected]>; > [email protected]; Abhishek Kant Rattan > <[email protected]>; Sahil Sharma D > <[email protected]> > Subject: Re: Version info that supports Jetty v12.0.25 > > You don't often get email from > [email protected]<mailto:[email protected]>. Learn why > this is important<https://aka.ms/LearnAboutSenderIdentification> > Hi Apoorva, > I made a typo in my email, I was referring to CVE-2025-5115. The short answer > is upgrade to Kafka >= 4.1.0 to get a version of Jetty that addresses this > issue. > > Kind regards, > Jim > > > On 12 Mar 2026, at 07:17, Apoorva Maheshwari > <[email protected]<mailto:[email protected]>> > wrote: > > Hello Jim, > > Thanks for the quick response. > > But I need information about Jetty v12.0.25, in order to address Jetty > CVE-2025-5115 not CVE-2025-5151. > > > Also, if we see any compatibility concerns, with latest jetty and current > Kafka will Kafka support that? > > Regards, > Apoorva Maheshwari > > From: Jim Halfpenny > <[email protected]<mailto:[email protected]>> > Sent: 11 March 2026 15:30 > To: [email protected]<mailto:[email protected]> > Cc: Steven Schlansker > <[email protected]<mailto:[email protected]>>; > [email protected]<mailto:[email protected]>; > Abhishek Kant Rattan > <[email protected]<mailto:[email protected]>>; > Sahil Sharma D > <[email protected]<mailto:[email protected]>>; Apoorva > Maheshwari > <[email protected]<mailto:[email protected]>> > Subject: Re: Version info that supports Jetty v12.0.25 > > You don't often get email from > [email protected]<mailto:[email protected]>. Learn why > this is important<https://aka.ms/LearnAboutSenderIdentification> > Hi Apoorva, > I've looked through the Kafka dependencies in Github and 4.1.0 contains Jetty > 12.0.22, which contains fixes to address CVE-2025-5151. > > https://github.com/apache/kafka/blob/4.1.0/gradle/dependencies.gradle > > Is this the information you need? If you are using Kafka 3.x I expect you > will need to upgrade to 4.x to obtain this fix, I am guessing that jumping > from Jetty 9 to 12 is too big a leap for a simple backport of this fix. > > Kind regards, > Jim > > > > On Wed, 11 Mar 2026 at 06:54, Apoorva Maheshwari via users > <[email protected]<mailto:[email protected]>> wrote: > Hello, > > Can you please share your plan for Jetty release? > > Regards, > Apoorva Maheshwari > > -----Original Message----- > From: Steven Schlansker > <[email protected]<mailto:[email protected]>> > Sent: 26 February 2026 22:00 > To: [email protected]<mailto:[email protected]> > Cc: > [email protected]<mailto:[email protected]>; > Abhishek Kant Rattan > <[email protected]<mailto:[email protected]>>; > Sahil Sharma D > <[email protected]<mailto:[email protected]>>; Apoorva > Maheshwari > <[email protected]<mailto:[email protected]>> > Subject: Re: Version info that supports Jetty v12.0.25 > > [You don't often get email from > [email protected]<mailto:[email protected]>. Learn why this > is important at https://aka.ms/LearnAboutSenderIdentification ] > > > On Feb 16, 2026, at 1:14 AM, Apoorva Maheshwari via users > > <[email protected]<mailto:[email protected]>> wrote: > > > > Hello Team, > > > > Can you please confirm this pattern, that when we get any vulnerability of > > jetty and fix from Jetty is available, how soon Kafka release a new version > > with this Jetty? > > If you are urgently needing to adopt a Jetty release on your own schedule, > rather than Kafka's schedule, you can always adopt new Jetty with your > current Kafka version using Maven's <dependencyManagement> feature. This > works for most projects, not just Kafka. > > Of course then you should test that the new combination works acceptably to > your requirements, but it at least gives you an independent path forward > without needing to pressure Kafka maintainers on new releases with dependency > updates, until the normal release process delivers a fixed Kafka artifact. > > > > > Regards, > > Apoorva Maheshwari > > > > From: Apoorva Maheshwari > > Sent: 13 February 2026 11:10 > > To: > > '[email protected]<mailto:[email protected]>' > > <[email protected]<mailto:[email protected]>>; > > '[email protected]<mailto:[email protected]>' > > <[email protected]<mailto:[email protected]>> > > Cc: Abhishek Kant Rattan > > <[email protected]<mailto:[email protected]>>; > > Sahil > > Sharma D <[email protected]<mailto:[email protected]>> > > Subject: RE: Version info that supports Jetty v12.0.25 > > > > Response awaited. > > > > Regards, > > Apoorva Maheshwari > > > > From: Apoorva Maheshwari > > Sent: 11 February 2026 10:30 > > To: > > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]> > > rg>; > > [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> > > Cc: Abhishek Kant Rattan > > <[email protected]<mailto:[email protected]><mailto:abhishek.kant.rattan@ericsso<mailto:abhishek.kant.rattan@ericsso> > > n.com<http://n.com/>>>; Sahil Sharma D > > <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> > > Subject: Version info that supports Jetty v12.0.25 > > > > Hello Team, > > > > Please confirm your plan to release a version that supports Jetty v12.0.25, > > in order to address Jetty CVE-2025-5115. > > > > Regards, > > Apoorva Maheshwari > > > > > >
