CVE-2025-68637 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2025-68637?

CVE-2025-68637 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to perform Man-in-the-Middle attacks on all REST API communications between Uniffle CLI/client and Coordinator service due to insecure SSL configuration. It affects all Uniffle users with versions before 0.10.0, exposing sensitive data and potentially allowing unauthorized access.

📋 TL;DR

This vulnerability allows attackers to perform Man-in-the-Middle attacks on all REST API communications between Uniffle CLI/client and Coordinator service due to insecure SSL configuration. It affects all Uniffle users with versions before 0.10.0, exposing sensitive data and potentially allowing unauthorized access.

💻 Affected Systems

Products:

Apache Uniffle

Versions: All versions before 0.10.0

Operating Systems: All platforms running Uniffle

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable as the insecure SSL configuration is the default setting.

📦 What is this software?

Uniffle by Apache

View all CVEs affecting Uniffle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Uniffle cluster with data interception, modification, and unauthorized administrative access to the Coordinator service.

🟠

Likely Case

Interception of sensitive configuration data, authentication credentials, and job execution details transmitted between CLI and Coordinator.

🟢

If Mitigated

Limited impact if network segmentation prevents MITM positioning or if alternative secure communication channels are used.

🌐 Internet-Facing: HIGH - Any internet-exposed Uniffle Coordinator with vulnerable clients is trivially exploitable via SSL stripping attacks.

🏢 Internal Only: MEDIUM - Internal attackers with network access could intercept communications, but requires privileged network positioning.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to intercept traffic but no authentication to Uniffle services. Standard SSL stripping tools can be used.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10.0

Vendor Advisory: https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v

Restart Required: Yes

Instructions:

1. Download Uniffle 0.10.0 from official Apache repository. 2. Stop all Uniffle services. 3. Replace existing installation with 0.10.0. 4. Restart Coordinator and all client services. 5. Verify SSL certificate validation is now enforced.

🔧 Temporary Workarounds

Configure custom SSL context

all

Override default SSL configuration to enforce certificate validation and hostname verification

Configure Uniffle client with custom SSLContext that sets TrustManager to validate certificates and enables hostname verification

Network segmentation

all

Isolate Uniffle Coordinator and clients in protected network segments

Implement firewall rules to restrict access to Coordinator service (default port 19998) to trusted networks only

🧯 If You Can't Patch

Deploy network-level TLS termination with proper certificate validation using reverse proxy
Implement certificate pinning at application layer to validate Coordinator certificates

🔍 How to Verify

Check if Vulnerable:

Check Uniffle client configuration for SSL certificate validation settings. If 'ssl.trust.all.certificates' is true or hostname verification is disabled, system is vulnerable.

Check Version:

uniffle version or check pom.xml for version < 0.10.0

Verify Fix Applied:

Attempt to connect to Coordinator with invalid SSL certificate - connection should fail. Verify client logs show certificate validation errors for invalid certs.

📡 Detection & Monitoring

Log Indicators:

SSL handshake failures with self-signed certificates after patch
Unexpected client connections from unusual network segments

Network Indicators:

Unencrypted HTTP traffic to Coordinator port 19998
SSL connections without certificate validation

SIEM Query:

source="uniffle" AND (event="SSL_ERROR" OR event="CERTIFICATE_VALIDATION_FAILED")

📊 Metadata

CVE ID: CVE-2025-68637

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-297

EPSS Score: 0.08% exploit probability (22.6th percentile)

Published: January 7, 2026

Last Updated: January 16, 2026

🔗 References

https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v Mailing List,Vendor Advisory,Issue Tracking
http://www.openwall.com/lists/oss-security/2025/12/27/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68637, you might also want to check these: