Vulnerability Details CVE-2025-68637
The Uniffle HTTP client is configured to trust all SSL certificates and
disables hostname verification by default. This insecure configuration
exposes all REST API communication between the Uniffle CLI/client and the
Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks.
This issue affects all versions from before 0.10.0.
Users are recommended to upgrade to version 0.10.0, which fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.2%
CVSS Severity
CVSS v3 Score 9.1
References
Products affected by CVE-2025-68637
-
cpe:2.3:a:apache:uniffle:0.1.0
-
cpe:2.3:a:apache:uniffle:0.2.0
-
cpe:2.3:a:apache:uniffle:0.3.0
-
cpe:2.3:a:apache:uniffle:0.4.0
-
cpe:2.3:a:apache:uniffle:0.4.1
-
cpe:2.3:a:apache:uniffle:0.6.0
-
cpe:2.3:a:apache:uniffle:0.6.1
-
cpe:2.3:a:apache:uniffle:0.7.0
-
cpe:2.3:a:apache:uniffle:0.7.1
-
cpe:2.3:a:apache:uniffle:0.8.0
-
cpe:2.3:a:apache:uniffle:0.9.0
-
cpe:2.3:a:apache:uniffle:0.9.1
-
cpe:2.3:a:apache:uniffle:0.9.2