CVE-2025-59390

CRITICAL LAB

Apache Druid < 35.0.0 - Authentication Bypass

Title source: rule

Description

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.

Exploits (2)

github WORKING POC 1 stars
by exploitintel · pythonpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-59390
nomisec WRITEUP 1 stars
by Daeda1usUK · poc
https://github.com/Daeda1usUK/CVE-2025-59390-

References (2)

Scores

CVSS v3 9.8
EPSS 0.0006
EPSS Percentile 17.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

EIP LAB Lab screenshot
vulnerable docker pull ghcr.io/exploitintel/cve-2025-59390-vulnerable:latest
COMMUNITY
docker pull zookeeper:3.5.10

Details

CWE
CWE-338
Status published
Products (2)
apache/druid < 35.0.0
org.apache.druid/druid 0 - 35.0.0Maven
Published Nov 26, 2025
Tracked Since Feb 18, 2026