CVE-2025-59390

Source
https://cve.org/CVERecord?id=CVE-2025-59390
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59390.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59390
Aliases
Published
2025-11-26T09:15:46.033Z
Modified
2026-04-10T05:32:01.906936Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong druid.auth.authenticator.kerberos.cookieSignatureSecret

This issue affects Apache Druid: through 34.0.0.

Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set druid.auth.authenticator.kerberos.cookieSignatureSecret when using the Kerberos authenticator. Services will fail to come up if the secret is not set.

References

Affected packages

Git / github.com/apache/druid

Affected ranges

Type
GIT
Repo
https://github.com/apache/druid
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "35.0.0"
        }
    ]
}

Affected versions

druid-0.*
druid-0.1.0
druid-0.1.1
druid-0.1.10
druid-0.1.11
druid-0.1.12
druid-0.1.13
druid-0.1.14
druid-0.1.2
druid-0.1.3
druid-0.1.4
druid-0.1.6
druid-0.1.7
druid-0.1.8
druid-0.1.9
druid-0.3.10
druid-0.3.11
druid-0.3.12
druid-0.3.13
druid-0.3.14
druid-0.3.15
druid-0.3.16
druid-0.3.18
druid-0.3.20
druid-0.3.21
druid-0.3.22
druid-0.3.24
druid-0.3.25
druid-0.3.27
druid-0.3.28
druid-0.3.29
druid-0.3.30
druid-0.3.31
druid-0.3.32
druid-0.3.33
druid-0.3.34
druid-0.3.4
druid-0.3.5
druid-0.3.6
druid-0.4.0
druid-0.4.1
druid-0.4.10
druid-0.4.11
druid-0.4.12
druid-0.4.15
druid-0.4.16
druid-0.4.17
druid-0.4.18
druid-0.4.19
druid-0.4.2
druid-0.4.20
druid-0.4.21
druid-0.4.22
druid-0.4.23
druid-0.4.24
druid-0.4.25
druid-0.4.26
druid-0.4.27
druid-0.4.28
druid-0.4.29
druid-0.4.3
druid-0.4.30
druid-0.4.31
druid-0.4.32
druid-0.4.5
druid-0.4.6
druid-0.4.7
druid-0.4.8
druid-0.4.9
druid-0.5.0
druid-0.5.1
druid-0.5.10
druid-0.5.11
druid-0.5.13
druid-0.5.14
druid-0.5.15
druid-0.5.16
druid-0.5.17
druid-0.5.18
druid-0.5.19
druid-0.5.2
druid-0.5.20
druid-0.5.21
druid-0.5.22
druid-0.5.23
druid-0.5.24
druid-0.5.25
druid-0.5.26
druid-0.5.27
druid-0.5.29
druid-0.5.3
druid-0.5.30
druid-0.5.31
druid-0.5.32
druid-0.5.33
druid-0.5.34
druid-0.5.35
druid-0.5.38
druid-0.5.39
druid-0.5.41
druid-0.5.42
druid-0.5.43
druid-0.5.44
druid-0.5.45
druid-0.5.46
druid-0.5.47
druid-0.5.48
druid-0.5.49
druid-0.5.5
druid-0.5.51
druid-0.5.52
druid-0.5.53
druid-0.5.54
druid-0.5.56
druid-0.5.57
druid-0.5.58
druid-0.5.7
druid-0.5.8
druid-0.5.9
druid-0.6.0
druid-0.6.1
druid-0.6.10
druid-0.6.100
druid-0.6.101
druid-0.6.102
druid-0.6.103
druid-0.6.104
druid-0.6.105
druid-0.6.106
druid-0.6.107
druid-0.6.108
druid-0.6.109
druid-0.6.11
druid-0.6.110
druid-0.6.111
druid-0.6.112
druid-0.6.113
druid-0.6.114
druid-0.6.115
druid-0.6.116
druid-0.6.117
druid-0.6.118
druid-0.6.119
druid-0.6.12
druid-0.6.120
druid-0.6.121
druid-0.6.122
druid-0.6.123
druid-0.6.124
druid-0.6.125
druid-0.6.126
druid-0.6.127
druid-0.6.128
druid-0.6.129
druid-0.6.13
druid-0.6.130
druid-0.6.131
druid-0.6.132
druid-0.6.133
druid-0.6.134
druid-0.6.135
druid-0.6.136
druid-0.6.137
druid-0.6.138
druid-0.6.139
druid-0.6.14
druid-0.6.140
druid-0.6.141
druid-0.6.142
druid-0.6.143
druid-0.6.144
druid-0.6.145
druid-0.6.146
druid-0.6.147
druid-0.6.148
druid-0.6.149
druid-0.6.15
druid-0.6.150
druid-0.6.151
druid-0.6.152
druid-0.6.153
druid-0.6.154
druid-0.6.155
druid-0.6.156
druid-0.6.157
druid-0.6.158
druid-0.6.159
druid-0.6.16
druid-0.6.160
druid-0.6.17
druid-0.6.18
druid-0.6.19
druid-0.6.2
druid-0.6.20
druid-0.6.21
druid-0.6.22
druid-0.6.23
druid-0.6.24
druid-0.6.25
druid-0.6.26
druid-0.6.27
druid-0.6.28
druid-0.6.29
druid-0.6.3
druid-0.6.30
druid-0.6.31
druid-0.6.32
druid-0.6.33
druid-0.6.34
druid-0.6.35
druid-0.6.36
druid-0.6.37
druid-0.6.38
druid-0.6.39
druid-0.6.4
druid-0.6.40
druid-0.6.41
druid-0.6.42
druid-0.6.45
druid-0.6.46
druid-0.6.47
druid-0.6.48
druid-0.6.49
druid-0.6.5
druid-0.6.50
druid-0.6.51
druid-0.6.52
druid-0.6.53
druid-0.6.54
druid-0.6.55
druid-0.6.56
druid-0.6.57
druid-0.6.58
druid-0.6.59
druid-0.6.60
druid-0.6.61
druid-0.6.62
druid-0.6.63
druid-0.6.64
druid-0.6.65
druid-0.6.66
druid-0.6.68
druid-0.6.69
druid-0.6.7
druid-0.6.70
druid-0.6.71
druid-0.6.72
druid-0.6.73
druid-0.6.74
druid-0.6.75
druid-0.6.76
druid-0.6.77
druid-0.6.78
druid-0.6.79
druid-0.6.8
druid-0.6.81
druid-0.6.82
druid-0.6.83
druid-0.6.84
druid-0.6.85
druid-0.6.86
druid-0.6.87
druid-0.6.88
druid-0.6.89
druid-0.6.9
druid-0.6.90
druid-0.6.91
druid-0.6.92
druid-0.6.93
druid-0.6.94
druid-0.6.95
druid-0.6.96
druid-0.6.97
druid-0.6.98
druid-0.6.99
druid-0.7.0
druid-0.7.0-rc1
druid-0.7.0-rc2
druid-0.7.0-rc3
druid-0.7.1
druid-0.7.1-rc1
druid-0.8.0-rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59390.json"