CVE-2025-68637

Summary

The Uniffle HTTP client is configured to trust all SSL certificates and

disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks.

This issue affects all versions from before 0.10.0.

Users are recommended to upgrade to version 0.10.0, which fixes the issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Uniffle0 < 0.10.0affected

Weaknesses

  • CWE-297: CWE-297 Improper Validation of Certificate with Host Mismatch

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References