CVE-2025-59390

CRITICAL LAB

Apache Druid <= 34.0.0 - Weak Cookie Signature Secret via ThreadLocalRandom

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-59390. PoCs published by exploitintel, Daeda1usUK.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-59390, an Apache Druid Kerberos authentication bypass vulnerability caused by weak PRNG cookie signing. The PoC includes multiple attack vectors, including JVM memory scanning and cookie forgery, along with a detailed lab setup and technical analysis.

Description

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.

Exploits (2)

github WORKING POC 1 stars
by exploitintel · pythonpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-59390

This repository contains a functional exploit for CVE-2025-59390, an Apache Druid Kerberos authentication bypass vulnerability caused by weak PRNG cookie signing. The PoC includes multiple attack vectors, including JVM memory scanning and cookie forgery, along with a detailed lab setup and technical analysis.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid ≤ 34.0.0
No auth needed
Prerequisites: Druid with Kerberos extension enabled · No explicit cookieSignatureSecret configuration
devstral-2 · analyzed Mar 02, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Daeda1usUK · poc
https://github.com/Daeda1usUK/CVE-2025-59390-

The repository describes a vulnerability in Apache Druid's Kerberos authenticator where a weak fallback secret is used if not explicitly configured, allowing potential token forgery or authentication bypass. The issue stems from the use of ThreadLocalRandom for secret generation, which is not cryptographically secure.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Apache Druid through 34.0.0
No auth needed
Prerequisites: Apache Druid with Kerberos authenticator enabled and no explicit cookieSignatureSecret configured
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/11/26/1

Scores

CVSS v3 9.8
EPSS 0.0007
EPSS Percentile 21.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

EIP LAB Lab screenshot
vulnerable docker pull ghcr.io/exploitintel/cve-2025-59390-vulnerable:latest

Details

CWE
CWE-338
Status published
Products (2)
apache/druid < 35.0.0
org.apache.druid/druid 0 - 35.0.0Maven
Published Nov 26, 2025
Tracked Since Feb 18, 2026