If you look at the dependancies for 4.0.2 and 4.1.2 you can see that Jetty 12.0.25 is present there.
https://github.com/apache/kafka/blob/4.0.2/gradle/dependencies.gradle https://github.com/apache/kafka/blob/4.1.2/gradle/dependencies.gradle Kind regards, JIm > On 20 Mar 2026, at 05:21, Ashish Verma V <[email protected]> wrote: > > Hi Jim, > > Any update on this query. > > Thanks > Ashish Verma > From: Apoorva Maheshwari <[email protected]> > Sent: 16 March 2026 08:39 > To: Jim Halfpenny <[email protected]> > Cc: [email protected]; Steven Schlansker <[email protected]>; > [email protected]; Abhishek Kant Rattan > <[email protected]>; Sahil Sharma D > <[email protected]>; Ashish Verma V <[email protected]> > Subject: RE: Version info that supports Jetty v12.0.25 > > Hello, > > CVE-2025-5115 is fixed in Jetty 12.0.25. > Although, latest released Kafka 4.2.0 still have dependency on Jetty 12.0.22. > Kindly let us know in which kakfa version, you are planning to take Jetty > 12.0.25 or later. > > Regards, > Apoorva Maheshwari > > From: Jim Halfpenny <[email protected] > <mailto:[email protected]>> > Sent: 12 March 2026 13:05 > To: Apoorva Maheshwari <[email protected] > <mailto:[email protected]>> > Cc: [email protected] <mailto:[email protected]>; Steven Schlansker > <[email protected] <mailto:[email protected]>>; > [email protected] <mailto:[email protected]>; > Abhishek Kant Rattan <[email protected] > <mailto:[email protected]>>; Sahil Sharma D > <[email protected] <mailto:[email protected]>> > Subject: Re: Version info that supports Jetty v12.0.25 > > You don't often get email from [email protected] > <mailto:[email protected]>. Learn why this is important > <https://aka.ms/LearnAboutSenderIdentification> > Hi Apoorva, > I made a typo in my email, I was referring to CVE-2025-5115. The short answer > is upgrade to Kafka >= 4.1.0 to get a version of Jetty that addresses this > issue. > > Kind regards, > Jim > > > On 12 Mar 2026, at 07:17, Apoorva Maheshwari <[email protected] > <mailto:[email protected]>> wrote: > > Hello Jim, > > Thanks for the quick response. > > But I need information about Jetty v12.0.25, in order to address Jetty > CVE-2025-5115 not CVE-2025-5151. > > > Also, if we see any compatibility concerns, with latest jetty and current > Kafka will Kafka support that? > > Regards, > Apoorva Maheshwari > > From: Jim Halfpenny <[email protected] > <mailto:[email protected]>> > Sent: 11 March 2026 15:30 > To: [email protected] <mailto:[email protected]> > Cc: Steven Schlansker <[email protected] > <mailto:[email protected]>>; [email protected] > <mailto:[email protected]>; Abhishek Kant Rattan > <[email protected] > <mailto:[email protected]>>; Sahil Sharma D > <[email protected] <mailto:[email protected]>>; Apoorva > Maheshwari <[email protected] > <mailto:[email protected]>> > Subject: Re: Version info that supports Jetty v12.0.25 > > You don't often get email from [email protected] > <mailto:[email protected]>. Learn why this is important > <https://aka.ms/LearnAboutSenderIdentification> > Hi Apoorva, > I've looked through the Kafka dependencies in Github and 4.1.0 contains Jetty > 12.0.22, which contains fixes to address CVE-2025-5151. > > https://github.com/apache/kafka/blob/4.1.0/gradle/dependencies.gradle > > Is this the information you need? If you are using Kafka 3.x I expect you > will need to upgrade to 4.x to obtain this fix, I am guessing that jumping > from Jetty 9 to 12 is too big a leap for a simple backport of this fix. > > Kind regards, > Jim > > > > On Wed, 11 Mar 2026 at 06:54, Apoorva Maheshwari via users > <[email protected] <mailto:[email protected]>> wrote: > Hello, > > Can you please share your plan for Jetty release? > > Regards, > Apoorva Maheshwari > > -----Original Message----- > From: Steven Schlansker <[email protected] > <mailto:[email protected]>> > Sent: 26 February 2026 22:00 > To: [email protected] <mailto:[email protected]> > Cc: [email protected] > <mailto:[email protected]>; Abhishek Kant Rattan > <[email protected] > <mailto:[email protected]>>; Sahil Sharma D > <[email protected] <mailto:[email protected]>>; Apoorva > Maheshwari <[email protected] > <mailto:[email protected]>> > Subject: Re: Version info that supports Jetty v12.0.25 > > [You don't often get email from [email protected] > <mailto:[email protected]>. Learn why this is important at > https://aka.ms/LearnAboutSenderIdentification ] > > > On Feb 16, 2026, at 1:14 AM, Apoorva Maheshwari via users > > <[email protected] <mailto:[email protected]>> wrote: > > > > Hello Team, > > > > Can you please confirm this pattern, that when we get any vulnerability of > > jetty and fix from Jetty is available, how soon Kafka release a new version > > with this Jetty? > > If you are urgently needing to adopt a Jetty release on your own schedule, > rather than Kafka's schedule, you can always adopt new Jetty with your > current Kafka version using Maven's <dependencyManagement> feature. This > works for most projects, not just Kafka. > > Of course then you should test that the new combination works acceptably to > your requirements, but it at least gives you an independent path forward > without needing to pressure Kafka maintainers on new releases with dependency > updates, until the normal release process delivers a fixed Kafka artifact. > > > > > Regards, > > Apoorva Maheshwari > > > > From: Apoorva Maheshwari > > Sent: 13 February 2026 11:10 > > To: '[email protected] > > <mailto:[email protected]>' > > <[email protected] > > <mailto:[email protected]>>; '[email protected] > > <mailto:[email protected]>' > > <[email protected] <mailto:[email protected]>> > > Cc: Abhishek Kant Rattan <[email protected] > > <mailto:[email protected]>>; Sahil > > Sharma D <[email protected] <mailto:[email protected]>> > > Subject: RE: Version info that supports Jetty v12.0.25 > > > > Response awaited. > > > > Regards, > > Apoorva Maheshwari > > > > From: Apoorva Maheshwari > > Sent: 11 February 2026 10:30 > > To: > > [email protected] > > <mailto:[email protected]><mailto:[email protected] > > <mailto:[email protected]> > > rg>; [email protected] > > <mailto:[email protected]><mailto:[email protected] > > <mailto:[email protected]>> > > Cc: Abhishek Kant Rattan > > <[email protected] > > <mailto:[email protected]><mailto:abhishek.kant.rattan@ericsso > > <mailto:abhishek.kant.rattan@ericsso> > > n.com <http://n.com/>>>; Sahil Sharma D > > <[email protected] > > <mailto:[email protected]><mailto:[email protected] > > <mailto:[email protected]>>> > > Subject: Version info that supports Jetty v12.0.25 > > > > Hello Team, > > > > Please confirm your plan to release a version that supports Jetty v12.0.25, > > in order to address Jetty CVE-2025-5115. > > > > Regards, > > Apoorva Maheshwari > > > > >
