kafka-python versions below 2.3.2 contain a denial‑of‑service weakness in the handling of SCRAM authentication. The client function used for processing the broker’s first authentication message accepts a SCRAM iteration count supplied by the broker and forwards it unvalidated to the operating system’s PBKDF2 routine. An attacker who controls or can spoof a broker can thus provide an excessively large iteration count, causing the PBKDF2 call to consume unlimited CPU time and freeze the client’s event loop. This stops producer sends, consumer polls, administrative operations, and heartbeat exchanges, potentially leading to consumer group eviction and repeated reconnect attempts.

Affected products are the kafka‑python Python client distributed by Dana Powers. All releases prior to version 2.3.2 are vulnerable. Users with any client library in that range that connects to any broker are at risk.

The CVSS score of 8.7 highlights a high severity. No EPSS score is available, so the current exploitation likelihood is uncertain, and the vulnerability is not listed in CISA KEV. The attack requires an attacker who can act as or compromise a broker that the client trusts, either through malicious infrastructure or a man‑in‑the‑middle positioning. The likely attack vector is a malicious or compromised broker that supplies an excessively large SCRAM iteration count; this inference is based on the description that the broker controls the iteration value. If successful, the client becomes unresponsive, which can cause service disruption for downstream applications or data flow.