Issue submitter TODO list
Describe the bug (actual behavior)
Hello,
We are currently using Kafka UI (Kafbat) version 1.4.2.
Our security team recently identified vulnerabilities related to the jsonpath-plus package:
CVE-2024-21534
CVE-2025-1302
According to the advisories, these vulnerabilities affect older versions of jsonpath-plus, and CVE-2025-1302 appears to be fully patched starting from version 10.3.0.
Could you please clarify the following?
Is jsonpath-plus updated to a non-vulnerable version in Kafka UI 1.5.0?
If so, is upgrading to Kafka UI 1.5.0 sufficient to remediate these vulnerabilities?
If not, is there any recommended workaround or manual patching procedure for users currently running 1.4.2?
Are there any plans to address these CVEs in an upcoming release?
Thank you for your help and for maintaining the project.
Expected behavior
No response
Your installation details
- App version : 1.4.2
- Helm chart version : 1.4.2
Steps to reproduce
This is not a functional bug report but a security-related inquiry.
Steps:
Deploy Kafka UI version 1.4.2.
Scan application dependencies using a vulnerability scanning tool (e.g., SCA/dependency scanner).
Observe that the scanner reports vulnerabilities in the jsonpath-plus package:
CVE-2024-21534
CVE-2025-1302
I would like to confirm whether these vulnerabilities are addressed in Kafka UI 1.5.0 and whether any mitigation or upgrade path is recommended.
Screenshots
No response
Logs
No response
Additional context
No response
Issue submitter TODO list
main-labeled docker image and the issue still persists thereDescribe the bug (actual behavior)
Hello,
We are currently using Kafka UI (Kafbat) version 1.4.2.
Our security team recently identified vulnerabilities related to the jsonpath-plus package:
CVE-2024-21534
CVE-2025-1302
According to the advisories, these vulnerabilities affect older versions of jsonpath-plus, and CVE-2025-1302 appears to be fully patched starting from version 10.3.0.
Could you please clarify the following?
Is jsonpath-plus updated to a non-vulnerable version in Kafka UI 1.5.0?
If so, is upgrading to Kafka UI 1.5.0 sufficient to remediate these vulnerabilities?
If not, is there any recommended workaround or manual patching procedure for users currently running 1.4.2?
Are there any plans to address these CVEs in an upcoming release?
Thank you for your help and for maintaining the project.
Expected behavior
No response
Your installation details
Steps to reproduce
This is not a functional bug report but a security-related inquiry.
Steps:
Deploy Kafka UI version 1.4.2.
Scan application dependencies using a vulnerability scanning tool (e.g., SCA/dependency scanner).
Observe that the scanner reports vulnerabilities in the jsonpath-plus package:
CVE-2024-21534
CVE-2025-1302
I would like to confirm whether these vulnerabilities are addressed in Kafka UI 1.5.0 and whether any mitigation or upgrade path is recommended.
Screenshots
No response
Logs
No response
Additional context
No response