CVE-2025-27888

Apache Druid and Affected Versions Apache Druid versions prior to 31.0.2 and prior to 32.0.1

Description Apache Druid is susceptible to Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and Open Redirect issues. When the Druid management proxy is used, a specially crafted URL in a request can redirect the request to an arbitrary server, potentially leading to XSS or Cross-Site Request Forgery (XSRF). Exploitation requires user authentication. The management proxy is enabled by default in Druid configurations. The issue affects all previous versions of Druid. The vulnerability stems from improper neutralization of input during web page generation and an open redirect vulnerability.

Recommendations Upgrade to Druid version 31.0.2 or 32.0.1 to resolve the issue. As a mitigation, disable the Druid management proxy. Note that disabling the management proxy will affect some web console features, but core functionality will remain operational.