CVE-2025-68637
Last modified
CVE-2025-68637 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue.. EPSS estimates a 0.22% chance of exploitation in the next 30 days.
Description
The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Uniffle | < 0.10.0 |
References
- https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2vIssue Tracking, Mailing List, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2025/12/27/2Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-68637?
How severe is CVE-2025-68637?
How do I fix CVE-2025-68637?
Are you affected by CVE-2025-68637?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST