Apache Druid Kerberos Fallback Cookie Secret Weakness (CVE-2025-59390)
CVE-2025-59390 Published on November 26, 2025
Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.
Apache Druids Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`,
which is not a crypto-graphically secure random number generator. This
may allow an attacker to predict or brute force the secret used to sign
authentication cookies, potentially enabling token forgery or
authentication bypass. Additionally, each process generates its own
fallback secret, resulting in inconsistent secrets across nodes. This
causes authentication failures in distributed or multi-broker
deployments, effectively leading to a incorrectly configured clusters. Users are
advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret`
This issue affects Apache Druid: through 34.0.0.
Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.
Vulnerability Analysis
CVE-2025-59390 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a PRNG Vulnerability?
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
CVE-2025-59390 has been classified to as a PRNG vulnerability or weakness.
Products Associated with CVE-2025-59390
Want to know whenever a new CVE is published for Apache Druid? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Druid:- Before and including 34.0.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.