CVE-2025-68637

Source
https://cve.org/CVERecord?id=CVE-2025-68637
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68637.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68637
Published
2026-01-07T09:39:04.167Z
Modified
2026-07-15T01:49:04.667077184Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Apache Uniffle: Insecure SSL Configuration in Uniffle HTTP Client
Details

The Uniffle HTTP client is configured to trust all SSL certificates and

disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks.

This issue affects all versions from before 0.10.0.

Users are recommended to upgrade to version 0.10.0, which fixes the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68637.json",
    "cwe_ids": [
        "CWE-297"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "0.10.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "extracted_events": [
                {
                    "fixed": "0.10.0"
                }
            ],
            "source": "DESCRIPTION"
        }
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/uniffle

Affected ranges

Type
GIT
Repo
https://github.com/apache/uniffle
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.10.0"
        }
    ],
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:apache:uniffle:*:*:*:*:*:*:*:*"
}

Affected versions

release-0.*
release-0.2.0
release-0.3.0
release-0.4.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68637.json"