{"id":"CVE-2025-68637","details":"The Uniffle HTTP client is configured to trust all SSL certificates and\n\ndisables hostname verification by default. This insecure configuration\nexposes all REST API communication between the Uniffle CLI/client and the\nUniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks.\n\n\nThis issue affects all versions from before 0.10.0.\n\nUsers are recommended to upgrade to version 0.10.0, which fixes the issue.","modified":"2026-04-10T05:36:37.715126Z","published":"2026-01-07T12:17:05.860Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/12/27/2"},{"type":"REPORT","url":"https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/uniffle","events":[{"introduced":"0"},{"fixed":"2df9eebed65bf99965ba3e65565e33e44a2fb393"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.10.0"}]}}],"versions":["release-0.2.0","release-0.3.0","release-0.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68637.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}