Server-Side Request Forgery and Cross-Site Scripting in Apache Druid

CVE-2025-27888

What is CVE-2025-27888?

CVE-2025-27888 is a medium-severity vulnerability affecting Apache Druid, an open-source software for real-time analytics and data ingestion. This vulnerability allows attackers to exploit server-side request forgery (SSRF) and improper input neutralization, which can lead to various security issues, including cross-site scripting (XSS). The implications of this vulnerability can be significant for organizations relying on Druid, as it may enable attackers to redirect requests to unauthorized servers, potentially compromising sensitive data and undermining the integrity of the system. Due to its default configuration, organizations may be particularly vulnerable if proper mitigations are not implemented.

Technical Details

The vulnerability is characterized by the ability to manipulate requests through the Druid management proxy. By crafting a specific URL, an attacker can redirect legitimate requests to arbitrary servers, which opens avenues for SSRF and XSS attacks. It is important to note that the exploit requires user authentication, meaning that only authenticated users could leverage this vulnerability. The default management proxy configuration in Druid is enabled, making it especially pertinent for administrators to review their settings. To mitigate the risks associated with CVE-2025-27888, it is advisable to either disable the management proxy feature or upgrade to the patched versions, Druid 31.0.2 or Druid 32.0.1.

Potential Impact of CVE-2025-27888

1. Data Exposure: The SSRF capability allows attackers to query internal networks, potentially leading to unauthorized access to sensitive information stored within the ecosystem.

2. Malicious Redirects: XSS vulnerabilities can be leveraged to inject malicious scripts into web pages, resulting in user session hijacking, defacement, and phishing attacks aimed at users interacting with the Druid management console.

3. System Compromise: By exploiting the management proxy, an attacker may gain further control over affected systems, enabling broader access to organizational resources and increasing the likelihood of a more extensive compromise or malware deployment.

References