@FrankYang0529 Could you please take a look or ping someone to review this?
It would be nice to include this in the future 3.9.2 release (I assume it is upcoming since the release candidate is presented)

@tengu-alt Thanks for the fix. We will take a look to check whether to include this in 3.9.2.

The CVE is regarding eclipse-ee4j/jersey#5749, and the patch was NOT merged into 2.39.1. Hence, I think Kafka 3.9.2 is NOT affected by CVE-2025-12383

@tengu-alt @FrankYang0529 WDYT?

@chia7712 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/253 mentions a reproducer for the CVE is at https://github.com/dtbaum/jerseyCveCandidate. I was able to reproduce it with 2.39.1 as well using that repo by editing pom.xml to update the version and replacing jakarta.* imports with javax.* in JerseyCveCandidate.java.

@gaurav-narula thanks for the verification. I'm wondering whether it is the same issue, since PRs mentioned by the CVE is unrelated to 2.39.1

@gaurav-narula thanks for the verification. I'm wondering whether it is the same issue, since PRs mentioned by the CVE is unrelated to 2.39.1

I'm fairly certain it's the same issue as the PoC is asserting the same CVE and it's reproducible in 2.39.1. Here's the trail I could find:

• The bug was reported with Race condition eclipse-ee4j/jersey#5358
• Fixed in 2.41 with Race condition eclipse-ee4j/jersey#5359
• The above introduced a perf regression as commented here and explained here
• Initial attempt to fix with Jersey update from 3.1.3 to 3.1.4 slows down our external service res… eclipse-ee4j/jersey#5749 which had shortcomings
• Final fix which fixes both the race and the perf regression with Fix possible concurrent issue with SSL & default connector eclipse-ee4j/jersey#5794

@gaurav-narula thanks for the info

@FrankYang0529 it seems we need to cut another RC

Does this mean that the CVE data is just wrong?

I ask because CVE-2025-12383 only references 2.45, 3.0.16, 3.1.9

Does this mean that the CVE data is just wrong?

I ask because CVE-2025-12383 only references 2.45, 3.0.16, 3.1.9

I think the issue exists in releases where either of the following conditions hold:

1. eclipse-ee4j/jersey@d4a0612 is not merged, so < 2.41, < 3.0.12, < 3.1.4 OR
2. eclipse-ee4j/jersey@425bc88 is merged without eclipse-ee4j/jersey@b2c7ba6, so =3.0.16 and =3.1.9

Releases between (1) and (2) would suffer from the perf degradation mentioned in eclipse-ee4j/jersey#5738. Once again, I'm basing this off of the PoC to reproduce the issue at https://github.com/dtbaum/jerseyCveCandidate.

It would be nice to get a confirmation from jersey developers on this. I'll need some approvals (and hence time) to be able to participate in discussions at https://gitlab.eclipse.org/security/cve-assignment/-/issues/74. In the mean time, I agree we should get another RC going for 3.9.2 with the version bumped.

@FrankYang0529 @gaurav-narula , I've updated PR with 2.47

BTW, also want to add that vulnerability comes from the HttpUrlConnector class, which causes a Race Condition as it said here: https://security.snyk.io/vuln/SNYK-JAVA-ORGGLASSFISHJERSEYCORE-14049172
And according to https://security.snyk.io/package/maven/org.glassfish.jersey.core%3Ajersey-client/2.39.1 a similar Race Condition appears in 2.39.1 , and the resolved versions are the same as for the CVE-2025-12383

sorry didn't see the approve, thank you

@tengu-alt It's ok. Let's wait for the CI result.