CVE-2025-59390

Name of the Vulnerable Software and Affected Versions Apache Druid versions prior to 35.0.0

Description The Apache Druid Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. The secret is generated using ThreadLocalRandom, which is not a cryptographically secure random number generator. This could allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Each process generates its own fallback secret, resulting in inconsistent secrets across nodes, causing authentication failures in distributed or multi-broker deployments.

Recommendations Versions prior to 35.0.0 should be upgraded to version 35.0.0, which fixes the issue and makes it mandatory to set druid.auth.authenticator.kerberos.cookieSignatureSecret when using the Kerberos authenticator. Services will fail to start if the secret is not set.