9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-59390

GHSA ID

GHSA-w88f-4875-99c8

EPSS Score

0.00039%

CWE

CWE-338

Published

11/26/2025

Updated

11/26/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59390

CVE-2025-59390: Apache Druid’s Kerberos authenticator uses a weak fallback secret

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong druid.auth.authenticator.kerberos.cookieSignatureSecret

This issue affects Apache Druid: through 34.0.0.

Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set druid.auth.authenticator.kerberos.cookieSignatureSecret when using the Kerberos authenticator. Services will fail to come up if the secret is not set.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-59390

CVE-2025-59390:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-59390

GHSA ID

GHSA-w88f-4875-99c8

EPSS Score

0.00039%

CWE

CWE-338

Published

11/26/2025

Updated

11/26/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.druid:druid	maven	< 35.0.0	35.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability in Apache Druid's Kerberos authenticator stemmed from the use of a cryptographically weak pseudo-random number generator (ThreadLocalRandom) to create a fallback secret for signing authentication cookies when one was not explicitly configured. This weak secret could be predicted or brute-forced by an attacker, allowing them to forge authentication tokens and bypass authentication. The analysis of the provided patches confirms this. The commit c0e355778ce334e804def728fa660bb208f9012a directly addresses this issue. The primary vulnerable function was org.apache.druid.security.kerberos.KerberosAuthenticator.init, where the weak secret was generated. The patch removes this insecure fallback and instead throws an exception. The constructor, org.apache.druid.security.kerberos.KerberosAuthenticator.KerberosAuthenticator, was also modified to enforce the mandatory presence of the cookieSignatureSecret configuration, preventing the insecure code path from ever being reached. Therefore, any runtime profile during an exploit attempt would involve the KerberosAuthenticator class, specifically the init method in the vulnerable version.

Vulnerable functions

org.apache.druid.security.kerberos.KerberosAuthenticator.init

extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java

The `init` method was vulnerable because when the `signature.secret` configuration was not provided, it would generate a secret using `ThreadLocalRandom.current().nextLong()`. `ThreadLocalRandom` is not a cryptographically secure random number generator, making the generated secret predictable and susceptible to brute-force attacks. This could allow an attacker to forge authentication cookies.

org.apache.druid.security.kerberos.KerberosAuthenticator.KerberosAuthenticator

extensions-core/druid-kerberos/src/main/java/org/apache/druid/security/kerberos/KerberosAuthenticator.java

The constructor for `KerberosAuthenticator` was modified to enforce that the `cookieSignatureSecret` is provided. Previously, it would allow this value to be null, which would then trigger the vulnerable code path in the `init` method to generate a weak secret. The patch adds a validation check to ensure the secret is always provided, thus mitigating the vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-59390: Apache Druid’s Kerberos authenticator uses a weak fallback secret

CVE-2025-59390:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-59390: Apache Druid’s Kerberos authenticator uses a weak fallback secret

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.8

9.8

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI