kafka-python versions before 2.3.2 allow a denial‑of‑service condition when a broker or a man‑in‑the‑middle attacker sends a specially crafted 4‑byte frame length through the receive_bytes() function. This value is used directly to allocate memory or trigger a ValueError without bounds validation; as a result, a client can experience either a multi‑gigabyte memory allocation or a broken connection that holds requests in a hung state, causing consumers to stop heartbeat traffic until the connection is reset. The weakness is a classic lack of bounds checking (CWE‑789).

The affected product is kafka‑python, version 2.3.1 and earlier, distributed by Dana Powers on the Python Package index. Applications that use these versions to connect to a broker or any network endpoint that could be spoofed or controlled by an attacker are at risk.

The CVSS score of 8.7 classifies this vulnerability as high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, indicating that there is currently no public evidence of exploitation. The likely attack vector is network‑based: an attacker who can send or modify traffic to a kafka‑python client can trigger the vulnerable frame length parsing path. Because the failure causes memory exhaustion or a connection hang, the impact is local to the client process but can propagate to service outages if the failing client is part of a critical data pipeline.