CVE-2025-59390
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-26

Last updated on: 2025-12-04

Assigner: Apache Software Foundation

Description
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strongΒ `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using theΒ Kerberos authenticator. Services will fail to come up if the secret is not set.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-26
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-11-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59390
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache druid to 35.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Apache Druid's Kerberos authenticator uses a weak fallback secret when the configuration 'druid.auth.authenticator.kerberos.cookieSignatureSecret' is not explicitly set. This fallback secret is generated using ThreadLocalRandom, which is not cryptographically secure. As a result, an attacker may be able to predict or brute force the secret used to sign authentication cookies, potentially allowing token forgery or authentication bypass. Additionally, each process generates its own fallback secret, causing inconsistent secrets across nodes and leading to authentication failures in distributed or multi-broker deployments.

Impact Analysis

This vulnerability can allow an attacker to predict or brute force the secret used to sign authentication cookies, which may enable token forgery or authentication bypass. In distributed or multi-broker deployments, inconsistent fallback secrets across nodes can cause authentication failures, effectively leading to incorrectly configured clusters and potential denial of service or unauthorized access.

Mitigation Strategies

To mitigate this vulnerability, you should explicitly configure a strong value for the 'druid.auth.authenticator.kerberos.cookieSignatureSecret' in your Apache Druid configuration. Additionally, upgrade Apache Druid to version 35.0.0 or later, where setting this secret is mandatory and the issue is fixed. Note that services will fail to start if the secret is not set in the fixed version, ensuring proper configuration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59390. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart