Apache Pulsar Proxy target broker address isn't validated
Description
Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address. When the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address. It hasn’t been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy. This issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in Apache Pulsar Proxy allows attackers to initiate TCP connections from the proxy's IP, enabling potential DoS attacks.
CVE-2022-24280 is an improper input validation vulnerability in the Proxy component of Apache Pulsar. The Proxy does not adequately validate target broker addresses when proxying connections, allowing an attacker to make TCP/IP connection attempts originating from the Pulsar Proxy's IP address [1][2][3].
To exploit this vulnerability, an attacker must have a valid token to a properly secured Pulsar Proxy [2][3]. With authenticated access, the attacker can attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to, effectively using the proxy as a relay [2][3].
The primary impact of this flaw is enabling denial-of-service (DoS) attacks that appear to originate from the Pulsar Proxy's IP address, potentially masking the attacker's true location [2][3]. However, Apache has stated that the Proxy authentication itself cannot be bypassed through this vulnerability [2][3].
Mitigation involves upgrading to patched versions (2.7.5+, 2.8.3+, 2.9.2+) and applying configuration changes to restrict proxied broker connections to known addresses and ports (6650, 6651) using the brokerProxyAllowedHostNames and brokerProxyAllowedIPAddresses settings [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsarMaven | < 2.7.5 | 2.7.5 |
org.apache.pulsar:pulsarMaven | >= 2.8.0, < 2.8.3 | 2.8.3 |
org.apache.pulsar:pulsarMaven | >= 2.9.0, < 2.9.2 | 2.9.2 |
Affected products
3- Range: 2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3mg9-m3f6-v7fqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24280ghsaADVISORY
- lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1vghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.