Insecure SSL Certificate Trust in Uniffle HTTP Client - Uniffle Vendor
CVE-2025-68637

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Uniffle
Vendor: CVE Published:; 7 January 2026

What is CVE-2025-68637?

The Uniffle HTTP Client is improperly configured to trust all SSL certificates and disables hostname verification by default. This insecure setup leaves REST API communications vulnerable to potential Man-in-the-Middle (MITM) attacks, allowing malicious actors to intercept or alter data between the Uniffle CLI/client and the Uniffle Coordinator service. To mitigate this risk, all users are strongly advised to upgrade to version 0.10.0, which addresses this configuration flaw.

Affected Version(s)

Apache Uniffle 0 < 0.10.0

References

https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t...

vendor-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Dec 20, 2025

Credit

omkar parkhe.

JSON