CVE-2025-27888 Apache Druid: Server-Side Request Forgery and Cross-Site Scripting

🗓️ 20 Mar 2025 11:29:00Reported by apacheType

Apache Druid has vulnerabilities including SSRF and Cross-Site Scripting in all prior versions.

Reporter	Title	Published	Views	Family All 16
BDU FSTEC	The vulnerability of the Apache Druid analytical database lies in the redirection of URLs to an unreliable website. This allows attackers to redirect users to arbitrary URL addresses, execute XSS attacks, or perform SSRF attacks.	25 Jun 202500:00	–	bdu_fstec
Circl	CVE-2025-27888	19 Mar 202517:38	–	circl
CNNVD	Apache Druid 代码问题漏洞	20 Mar 202500:00	–	cnnvd
CVE	CVE-2025-27888	20 Mar 202511:29	–	cve
EUVD	EUVD-2025-6811	3 Oct 202520:07	–	euvd
Github Security Blog	Apache Druid vulnerable to Server-Side Request Forgery, Cross-site Scripting, Open Redirect	20 Mar 202512:32	–	github
Nuclei	Apache Druid - Server-Side Request Forgery	19 Jun 202611:10	–	nuclei
NVD	CVE-2025-27888	20 Mar 202512:15	–	nvd
OSV	GHSA-2XCR-P767-F3RV Apache Druid vulnerable to Server-Side Request Forgery, Cross-site Scripting, Open Redirect	20 Mar 202512:32	–	osv
Positive Technologies	PT-2025-12331	19 Mar 202500:00	–	ptsecurity

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.druid:druid",
    "product": "Apache Druid",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "31.0.2",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "32.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/c0qo989pwtrqkjv6xfr0c30dnjq8vf39

25 Mar 2025 15:18Current

CVSS 45.8

EPSS0.01643

apache druid vulnerabilities server-side request forgery cross-site scripting url redirection management proxy security update