Main Vulnerability Database Vulnerabilities #VU118821

#VU118821 Predictable Seed in Pseudo-Random Number Generator (PRNG) in Apache Druid - CVE-2025-59390

Published: November 28, 2025

Vulnerability identifier: #VU118821

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-59390

CWE-ID: CWE-337

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Druid

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. As a result the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator.A remote attacker can predict or brute force the secret used to sign authentication cookies, enabling token forgery or authentication bypass.

Remediation

Install updates from vendor's website.

External links

https://lists.apache.org/thread/g35x2n8khw0gdl8mhqwl2t4o0h296y9s

#VU118821 Predictable Seed in Pseudo-Random Number Generator (PRNG) in Apache Druid - CVE-2025-59390

Description

Remediation

External links

Please verify you're human