Add vpatch-CVE-2025-27817 rule and test

.appsec-tests/vpatch-CVE-2025-27817/CVE-2025-27817.yaml

@@ -0,0 +1,21 @@
+## autogenerated on 2026-02-11 14:36:16
+id: CVE-2025-27817
+info:
+  name: CVE-2025-27817
+  author: crowdsec
+  severity: info
+  description: CVE-2025-27817 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /druid/indexer/v1/sampler?for=connect HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"type":"kafka","spec":{"type":"kafka","ioConfig":{"type":"kafka","consumerProperties":{"bootstrap.servers":"127.0.0.1:6666","sasl.mechanism":"OAUTHBEARER","security.protocol":"SASL_SSL","sasl.login.callback.handler.class":"org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler","sasl.oauthbearer.token.endpoint.url":"file:///etc/passwd","sasl.jaas.config":"org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required sasl.oauthbearer.token.endpoint.url=\"http://127.0.0.1:9999/token\" sasl.oauthbearer.jwks.endpoint.url=\"http://127.0.0.1:9999/jwks\" sasl.oauthbearer.client.id=your-client-id sasl.oauthbearer.client.secret=your-client-secret sasl.oauthbearer.expected.audience=kafka sasl.oauthbearer.expected.issuer=\"http://127.0.0.1:9999\" useFirstPass=true serviceName=kafka debug=true;"},"topic":"test","useEarliestOffset":true,"inputFormat":{"type":"regex","pattern":"([\\s\\S]*)","listDelimiter":"","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{},"granularitySpec":{"rollup":false}},"tuningConfig":{"type":"kafka"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/vpatch-CVE-2025-27817/config.yaml

@@ -0,0 +1,5 @@
+## autogenerated on 2026-02-11 14:36:16
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-27817.yaml
+nuclei_template: CVE-2025-27817.yaml

appsec-rules/crowdsecurity/vpatch-CVE-2025-27817.yaml

@@ -0,0 +1,40 @@
+## autogenerated on 2026-02-11 14:36:16
+name: crowdsecurity/vpatch-CVE-2025-27817
+description: 'Detects Apache Kafka Client arbitrary file read via untrusted sasl.oauthbearer.token.endpoint.url in Druid sampler endpoint.'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: /druid/indexer/v1/sampler
+      - zones:
+          - BODY_ARGS_NAMES
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: sasl.oauthbearer.token.endpoint.url
+      - zones:
+          - BODY_ARGS
+        variables:
+          - json.spec.ioConfig.consumerProperties.sasl.oauthbearer.token.endpoint.url
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: file://
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'Apache Kafka - LFI'
+  classification:
+    - cve.CVE-2025-27817
+    - attack.T1190
+    - cwe.CWE-918

collections/crowdsecurity/appsec-virtual-patching.yaml

@@ -93,6 +93,7 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2021-44529
 - crowdsecurity/vpatch-CVE-2024-57727
 - crowdsecurity/vpatch-CVE-2024-27292
+- crowdsecurity/vpatch-CVE-2025-27817
 - crowdsecurity/vpatch-CVE-2025-24893
 - crowdsecurity/vpatch-CVE-2021-43798
 - crowdsecurity/vpatch-CVE-2022-1388