OpenSSL CMS Buffer Overflow Vulnerability #5305
Description
The Windows NuGet packages (librdkafka.redist) currently bundle OpenSSL 3.3.2. This version is affected by CVE-2025-15467, a Critical (CVSS 9.8) stack buffer overflow in OpenSSL's CMS parsing. The fix requires OpenSSL 3.6 or later.
Impact
Any application using Confluent.Kafka / librdkafka.redist on Windows inherits libssl-3.dll and libcrypto-3.dll as transitive native dependencies. Security scanning tools (e.g., SentinelOne) flag these DLLs as vulnerable, and consumers of the NuGet package have no way to remediate this without an updated release from upstream.
Request
Please upgrade the bundled OpenSSL dependency to 3.6 or later in the next release