CVE-2025-61673

CVE-2025-61673 is an authentication bypass vulnerability affecting Karapace, an open-source implementation of Kafka REST and Schema Registry, specifically in versions 5.0.0 and 5.0.1. When configured to use OAuth 2.0 Bearer Token authentication, the vulnerability arises because requests sent without an Authorization header completely skip the token validation logic. This allows unauthorized access to Schema Registry endpoints that are intended to be protected, rendering the OAuth mechanism ineffective. The issue is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function), with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).

Any unauthenticated attacker with network access to the Karapace instance can exploit this vulnerability by simply omitting the Authorization header in HTTP requests. Successful exploitation enables reading from and writing to protected Schema Registry endpoints, potentially allowing attackers to manipulate schemas, inject malicious data into Kafka topics, or extract sensitive schema information, leading to high integrity impacts alongside low confidentiality and availability effects.

The vulnerability is fixed in Karapace version 5.0.2, as detailed in the project's security advisory (GHSA-vq25-vcrw-gj53), release notes, and the corresponding pull request commit. Security practitioners should prioritize upgrading affected deployments to the patched version to restore proper OAuth authentication enforcement.