CVE-2025-68637: Critical Man-in-the-Middle Vulnerability in Apache Uniffle Due to Insecure SSL Validation

CyberDefender 2 mins0

CVE-2025-68637 is a critical security flaw in the Apache Uniffle project’s HTTP client implementation.

Vulnerability Details

  • Affected software: Apache Uniffle HTTP client (all versions before 0.10.0).
  • Issue: The HTTP client trusts all SSL/TLS certificates by default and disables hostname verification. This means it accepts any certificate and does not verify the server’s identity.
  • Weakness type: CWE-297 – Improper Validation of Certificate with Host Mismatch.

Impact

Because of the insecure SSL configuration:

  • An attacker with network access between the Uniffle client and its coordinator service can mount a Man-in-the-Middle (MITM) attack.
  • The attacker could intercept, read, or modify REST API traffic (including credentials or sensitive commands) without authentication.
  • No privileges or user interaction are required to exploit this.

Severity

  • CVSS v3.1 Base Score:9.1 (Critical)
    • Vector: Network exploit, low complexity, no privileges needed, high confidentiality & integrity impact.

Mitigation / Fix

  • Upgrade to Apache Uniffle version 0.10.0 or later, which enforces proper SSL certificate validation and hostname verification.
  • Until patched, limit network exposure of Uniffle services, isolate traffic via segmentation, and monitor for suspicious certificate activity.

Summary

CVE-2025-68637 is a critical MITM vulnerability in Apache Uniffle’s HTTP client caused by unsafe SSL settings. It affects versions before 0.10.0 and allows an attacker on the network path to intercept or tamper with REST API communication. Immediate upgrading to a fixed release is recommended.

If you use Apache Uniffle in production (e.g., in data clusters or distributed systems), treating this as a high-priority patch is important.

CyberDefender