Main Vulnerability Database Vulnerabilities #VU118821

Predictable Seed in Pseudo-Random Number Generator (PRNG) in Apache Druid - CVE-2025-59390

Published: November 28, 2025

Vulnerability identifier: #VU118821

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-59390

CWE-ID: CWE-337

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Druid

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. As a result the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator.A remote attacker can predict or brute force the secret used to sign authentication cookies, enabling token forgery or authentication bypass.

How to mitigate CVE-2025-59390

Install updates from vendor's website.

Sources

https://lists.apache.org/thread/g35x2n8khw0gdl8mhqwl2t4o0h296y9s

Predictable Seed in Pseudo-Random Number Generator (PRNG) in Apache Druid - CVE-2025-59390

Detailed vulnerability description

How to mitigate CVE-2025-59390

Sources

Please verify you're human