CVE-2025-68637
Published: 07 January 2026
Summary
CVE-2025-68637 is a critical-severity Improper Validation of Certificate with Host Mismatch (CWE-297) vulnerability in Apache Uniffle. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-17 (Public Key Infrastructure Certificates).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires cryptographic protection for transmission confidentiality and integrity, directly preventing MITM attacks by mandating proper TLS implementation with certificate validation.
Mandates secure configuration settings for IT products, directly addressing the default insecure SSL configuration that trusts all certificates and disables hostname verification in Uniffle HTTP client.
Establishes requirements for PKI certificate management and validation, mitigating improper certificate trust and host mismatch exploited in this CVE's MITM vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure default SSL/TLS config (trust-all certs, no hostname verification) directly enables MITM interception/modification of API traffic (T1557).
NVD Description
The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This…
more
issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue.
Deeper analysisAI
CVE-2025-68637 is a high-severity vulnerability in the Uniffle HTTP client, which is configured by default to trust all SSL certificates and disable hostname verification. This insecure setup exposes REST API communications between the Uniffle CLI/client and the Uniffle Coordinator service to man-in-the-middle (MITM) attacks. The issue affects all versions prior to 0.10.0 and is classified under CWE-297 (Improper Validation of Certificate with Host Mismatch), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Attackers with network access to the communication path can exploit this vulnerability without privileges or user interaction. By performing an MITM attack, they can intercept, read, and modify sensitive data in transit, achieving high impacts on confidentiality and integrity, though availability remains unaffected.
Advisories recommend upgrading to Uniffle version 0.10.0, which addresses the issue by correcting the SSL configuration. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/12/27/2.
Details
- CWE(s)