Apache Uniffle: Insecure SSL Configuration in Uniffle HTTP Client

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

The Uniffle HTTP client is configured to trust all SSL certificates and

disables hostname verification by default. This insecure configuration
exposes all REST API communication between the Uniffle CLI/client and the
Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks.

This issue affects all versions from before 0.10.0.

Users are recommended to upgrade to version 0.10.0, which fixes the issue.

AI Analysis

Insecure SSL configuration in Uniffle HTTP client, exposing REST API communication to potential Man-in-the-Middle (MITM) attacks.

Basic Information

ID CVE-2025-68637

Source apache

Published Jan 7, 2026 at 09:39

Modified Jan 7, 2026 at 14:40

Affected Product

Vendor Apache Software Foundation

Product Apache Uniffle

Affected Versions Apache Software Foundation Apache Uniffle 0

CWE Classification

CWE-297

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Apache Software Foundation

Product Apache Uniffle

Version All versions before 0.10.0

References

lists.apache.org /thread/trvdd11hmpbjno3t8rc9okr4t036ox2v

{
    "lastseen": "",
    "description": "The Uniffle HTTP client is configured to trust all SSL certificates and\n\ndisables hostname verification by default. This insecure configuration\nexposes all REST API communication between the Uniffle CLI/client and the\nUniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks.\n\n\nThis issue affects all versions from before 0.10.0.\n\nUsers are recommended to upgrade to version 0.10.0, which fixes the issue.",
    "published": "2026-01-07T09:39:04.167Z",
    "modified": "2026-01-07T14:40:51.284Z",
    "type": "cve",
    "title": "Apache Uniffle: Insecure SSL Configuration in Uniffle HTTP Client",
    "source": "apache",
    "references": "https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v",
    "id": "CVE-2025-68637",
    "bulletinFamily": "",
    "cwe": [
        "CWE-297"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Uniffle 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Uniffle",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "Insecure SSL configuration in Uniffle HTTP client, exposing REST API communication to potential Man-in-the-Middle (MITM) attacks.",
    "ai_severity": "Critical",
    "ai_vendor": "Apache Software Foundation",
    "ai_product": "Apache Uniffle",
    "ai_version": "All versions before 0.10.0",
    "ai_score": 9.1
}

Apache Uniffle: Insecure SSL Configuration in Uniffle HTTP Client_CVE-2025-68637