CVE-2025-27888

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-27888
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27888.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27888
Aliases
Published
2025-03-20T12:15:14.563Z
Modified
2026-04-10T05:25:08.090363Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Severity: medium (5.8) / important

Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid.

This issue affects all previous Druid versions.

When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.

Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.

References

Affected packages

Git / github.com/apache/druid

Affected ranges

Type
GIT
Repo
https://github.com/apache/druid
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
230605ec33db326c37154a03bcc4edfccc40203b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "31.0.2"
        }
    ]
}

Affected versions

druid-0.*
druid-0.1.0
druid-0.1.1
druid-0.1.10
druid-0.1.11
druid-0.1.12
druid-0.1.13
druid-0.1.14
druid-0.1.2
druid-0.1.3
druid-0.1.4
druid-0.1.6
druid-0.1.7
druid-0.1.8
druid-0.1.9
druid-0.3.10
druid-0.3.11
druid-0.3.12
druid-0.3.13
druid-0.3.14
druid-0.3.15
druid-0.3.16
druid-0.3.18
druid-0.3.20
druid-0.3.21
druid-0.3.22
druid-0.3.24
druid-0.3.25
druid-0.3.27
druid-0.3.28
druid-0.3.29
druid-0.3.30
druid-0.3.31
druid-0.3.32
druid-0.3.33
druid-0.3.34
druid-0.3.4
druid-0.3.5
druid-0.3.6
druid-0.4.0
druid-0.4.1
druid-0.4.10
druid-0.4.11
druid-0.4.12
druid-0.4.15
druid-0.4.16
druid-0.4.17
druid-0.4.18
druid-0.4.19
druid-0.4.2
druid-0.4.20
druid-0.4.21
druid-0.4.22
druid-0.4.23
druid-0.4.24
druid-0.4.25
druid-0.4.26
druid-0.4.27
druid-0.4.28
druid-0.4.29
druid-0.4.3
druid-0.4.30
druid-0.4.31
druid-0.4.32
druid-0.4.5
druid-0.4.6
druid-0.4.7
druid-0.4.8
druid-0.4.9
druid-0.5.0
druid-0.5.1
druid-0.5.10
druid-0.5.11
druid-0.5.13
druid-0.5.14
druid-0.5.15
druid-0.5.16
druid-0.5.17
druid-0.5.18
druid-0.5.19
druid-0.5.2
druid-0.5.20
druid-0.5.21
druid-0.5.22
druid-0.5.23
druid-0.5.24
druid-0.5.25
druid-0.5.26
druid-0.5.27
druid-0.5.29
druid-0.5.3
druid-0.5.30
druid-0.5.31
druid-0.5.32
druid-0.5.33
druid-0.5.34
druid-0.5.35
druid-0.5.38
druid-0.5.39
druid-0.5.41
druid-0.5.42
druid-0.5.43
druid-0.5.44
druid-0.5.45
druid-0.5.46
druid-0.5.47
druid-0.5.48
druid-0.5.49
druid-0.5.5
druid-0.5.51
druid-0.5.52
druid-0.5.53
druid-0.5.54
druid-0.5.56
druid-0.5.57
druid-0.5.58
druid-0.5.7
druid-0.5.8
druid-0.5.9
druid-0.6.0
druid-0.6.1
druid-0.6.10
druid-0.6.100
druid-0.6.101
druid-0.6.102
druid-0.6.103
druid-0.6.104
druid-0.6.105
druid-0.6.106
druid-0.6.107
druid-0.6.108
druid-0.6.109
druid-0.6.11
druid-0.6.110
druid-0.6.111
druid-0.6.112
druid-0.6.113
druid-0.6.114
druid-0.6.115
druid-0.6.116
druid-0.6.117
druid-0.6.118
druid-0.6.119
druid-0.6.12
druid-0.6.120
druid-0.6.121
druid-0.6.122
druid-0.6.123
druid-0.6.124
druid-0.6.125
druid-0.6.126
druid-0.6.127
druid-0.6.128
druid-0.6.129
druid-0.6.13
druid-0.6.130
druid-0.6.131
druid-0.6.132
druid-0.6.133
druid-0.6.134
druid-0.6.135
druid-0.6.136
druid-0.6.137
druid-0.6.138
druid-0.6.139
druid-0.6.14
druid-0.6.140
druid-0.6.141
druid-0.6.142
druid-0.6.143
druid-0.6.144
druid-0.6.145
druid-0.6.146
druid-0.6.147
druid-0.6.148
druid-0.6.149
druid-0.6.15
druid-0.6.150
druid-0.6.151
druid-0.6.152
druid-0.6.153
druid-0.6.154
druid-0.6.155
druid-0.6.156
druid-0.6.157
druid-0.6.158
druid-0.6.159
druid-0.6.16
druid-0.6.160
druid-0.6.17
druid-0.6.18
druid-0.6.19
druid-0.6.2
druid-0.6.20
druid-0.6.21
druid-0.6.22
druid-0.6.23
druid-0.6.24
druid-0.6.25
druid-0.6.26
druid-0.6.27
druid-0.6.28
druid-0.6.29
druid-0.6.3
druid-0.6.30
druid-0.6.31
druid-0.6.32
druid-0.6.33
druid-0.6.34
druid-0.6.35
druid-0.6.36
druid-0.6.37
druid-0.6.38
druid-0.6.39
druid-0.6.4
druid-0.6.40
druid-0.6.41
druid-0.6.42
druid-0.6.45
druid-0.6.46
druid-0.6.47
druid-0.6.48
druid-0.6.49
druid-0.6.5
druid-0.6.50
druid-0.6.51
druid-0.6.52
druid-0.6.53
druid-0.6.54
druid-0.6.55
druid-0.6.56
druid-0.6.57
druid-0.6.58
druid-0.6.59
druid-0.6.60
druid-0.6.61
druid-0.6.62
druid-0.6.63
druid-0.6.64
druid-0.6.65
druid-0.6.66
druid-0.6.68
druid-0.6.69
druid-0.6.7
druid-0.6.70
druid-0.6.71
druid-0.6.72
druid-0.6.73
druid-0.6.74
druid-0.6.75
druid-0.6.76
druid-0.6.77
druid-0.6.78
druid-0.6.79
druid-0.6.8
druid-0.6.81
druid-0.6.82
druid-0.6.83
druid-0.6.84
druid-0.6.85
druid-0.6.86
druid-0.6.87
druid-0.6.88
druid-0.6.89
druid-0.6.9
druid-0.6.90
druid-0.6.91
druid-0.6.92
druid-0.6.93
druid-0.6.94
druid-0.6.95
druid-0.6.96
druid-0.6.97
druid-0.6.98
druid-0.6.99
druid-0.7.0
druid-0.7.0-rc1
druid-0.7.0-rc2
druid-0.7.0-rc3
druid-0.7.1
druid-0.7.1-rc1
druid-0.8.0-rc1
druid-31.*
druid-31.0.1
druid-31.0.1-rc1
druid-31.0.1-rc2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27888.json"