Hello Kafka community, We are using the official Apache Kafka 4.2.0 Docker image (apache/kafka) in production. During mandatory security scanning (Rapid7 Astra), the following CVEs are being reported from transitive dependencies bundled in the image under /opt/kafka/libs:
* CVE‑2026‑1605 – jetty-server 12.0.22 * CVE‑2025‑11143 – jetty-http 12.0.22 * CVE‑2025‑67030 – plexus-utils 3.5.1 [cid:[email protected]] We understand these are third‑party libraries, not externally exposed by default, and not Kafka protocol vulnerabilities. However, our client requires either a remediation path or upstream guidance. Could you please advise: 1. Whether an upcoming Kafka release is planned to update Jetty and/or plexus‑utils to address these CVEs. 2. If there is any officially recommended mitigation or guidance for handling such scanner findings until dependencies are refreshed upstream. 3. Whether the expected approach is to treat these as acceptable vendor‑dependency risk until Kafka updates the bundled libraries. We want to stay aligned with Apache Kafka support and avoid unsupported modifications. Thanks in advance for your guidance. [cid:[email protected]] Regards, Shivam Tomar SR. SOFTWARE ENGINEER - WIPRO ENGINEERING EDGE Mobile: +91-7000455806 'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com' Internal - General Use
