CVE-2025-59390

CRITICAL LAB

Apache Druid < 35.0.0 - Authentication Bypass

Title source: rule

Description

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.

Exploits (2)

nomisec WRITEUP 1 stars
by Daeda1usUK · poc
https://github.com/Daeda1usUK/CVE-2025-59390-
github WORKING POC 1 stars
by exploitintel · pythonpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-59390

References (2)

Scores

CVSS v3 9.8
EPSS 0.0008
EPSS Percentile 22.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

Lab screenshot
kdc vulnerable
docker pull ghcr.io/exploitintel/cve-2025-59390-vulnerable:latest
All Labs GitHub

Classification

CWE
CWE-338
Status published

Affected Products (2)

apache/druid < 35.0.0
org.apache.druid/druid < 35.0.0Maven

Timeline

Published Nov 26, 2025
Tracked Since Feb 18, 2026