CVE-2025-59390

CWE-3384 documents4 sources

Severity

9.8CRITICAL

EPSS

0.1%

top 76.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Druid Apache Software Foundation Apache Druid

Timeline

PublishedNov 26

Description

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/druid< 35.0.0

▶Mavenorg.apache.druid:druid< 35.0.0

▶CVEListV5apache_software_foundation/apache_druid34.0.0

🔴Vulnerability Details

CVEList

Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.↗2025-11-26

▶

OSV

Apache Druid’s Kerberos authenticator uses a weak fallback secret↗2025-11-26

▶

GHSA

Apache Druid’s Kerberos authenticator uses a weak fallback secret↗2025-11-26

▶