oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-27888: Apache Druid: Server-Side Request Forgery and Cross-Site Scripting

From: Adarsh Sanjeev <adarshsanjeev () apache org>
Date: Wed, 19 Mar 2025 16:23:09 +0000
Affected versions:

- Apache Druid before 31.0.2
- Apache Druid before 32.0.1

Description:

Severity: medium (5.8) / important

Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site 
Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid.

This issue affects all previous Druid versions.


When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request 
to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for 
this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this 
vulnerability. If the management proxy is disabled, some web console features will not work properly, but core 
functionality is unaffected.


Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.

References:

https://druid.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-27888
Previous By Date Next
Previous By Thread Next

Current thread: