When an application opts into DelegatingDeserializer, an attacker can send records containing unique, random values in the spring.kafka.serialization.selector header. These values become keys in an internal delegate cache that is not bounded; as the cache grows, the consumer’s heap consumption grows without limit, eventually forcing the garbage collector to thrash and causing an OutOfMemoryError. The vulnerability is a classic resource exhaustion flaw (CWE-770) that can be exploited to make the consumer process unavailable by exhausting its memory capacity, without granting any code‑execution or data‑breach privileges. The primary consequence is denial of service for the Kafka consumer component, potentially impacting any downstream services that rely on it.

Spring for Apache Kafka versions 2.8.0 through 2.8.11, 2.9.0 through 2.9.13, 3.2.0 through 3.2.13, 3.3.0 through 3.3.15, and 4.0.0 through 4.0.5 are affected.

The CVSS score of 6.5 reflects a moderate severity impact limited to availability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation is not currently observed. The likely attack vector is a remote Kafka producer that can inject arbitrary selector headers; the attacker must repeatedly send messages with unique header values to grow the cache to the point of exhaustion. The exploit does not require privileged access or pre‑existing foothold beyond the ability to send messages to the target consumer, but it can disrupt service if the consumer is critical to application logic.