SB2025112807 - Authentication bypass in Apache Druid Kerberos authenticator

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025112807

SB2025112807 - Authentication bypass in Apache Druid Kerberos authenticator

Published: November 28, 2025

Security Bulletin ID SB2025112807
Severity
High
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Predictable Seed in Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2025-59390)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. As a result the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator.A remote attacker can predict or brute force the secret used to sign authentication cookies, enabling token forgery or authentication bypass.


Remediation

Install update from vendor's website.

References