CVE-2025-61673
Published: 03 October 2025
Summary
CVE-2025-61673 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of the authentication bypass flaw in Karapace versions 5.0.0 and 5.0.1 by upgrading to the patched version 5.0.2.
Mandates enforcement of approved authorizations, ensuring OAuth Bearer Token validation is applied to all requests to protected Schema Registry endpoints and preventing bypass via missing Authorization headers.
Requires explicit identification and authorization of any actions permitted without identification or authentication, ensuring protected endpoints like Schema Registry are not inadvertently accessible unauthenticated.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-61673 is an authentication bypass in a public-facing REST API service (Karapace Schema Registry), enabling unauthenticated remote attackers to access protected endpoints, directly mapping to exploitation of public-facing applications.
NVD Description
Karapace is an open-source implementation of Kafka REST and Schema Registry. Versions 5.0.0 and 5.0.1 contain an authentication bypass vulnerability when configured to use OAuth 2.0 Bearer Token authentication. If a request is sent without an Authorization header, the token…
more
validation logic is skipped entirely, allowing an unauthenticated user to read and write to Schema Registry endpoints that should otherwise be protected. This effectively renders the OAuth authentication mechanism ineffective. This issue is fixed in version 5.0.2.
Deeper analysisAI
CVE-2025-61673 is an authentication bypass vulnerability affecting Karapace, an open-source implementation of Kafka REST and Schema Registry, specifically in versions 5.0.0 and 5.0.1. When configured to use OAuth 2.0 Bearer Token authentication, the vulnerability arises because requests sent without an Authorization header completely skip the token validation logic. This allows unauthorized access to Schema Registry endpoints that are intended to be protected, effectively nullifying the OAuth authentication mechanism. The issue is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function).
Attackers with network access to the affected Karapace instance can exploit this vulnerability without any privileges or user interaction. By simply omitting the Authorization header in HTTP requests, unauthenticated attackers can read from and write to protected Schema Registry endpoints, potentially compromising schema data integrity, confidentiality, and availability in Kafka-based environments.
Mitigation is available in Karapace version 5.0.2, which addresses the flaw through changes in the authentication handling logic, as detailed in the project's GitHub security advisory (GHSA-vq25-vcrw-gj53), the release notes for v5.0.2, and the associated pull request commit. Security practitioners should upgrade to 5.0.2 or later and verify OAuth configurations to ensure proper header enforcement.
Details
- CWE(s)