Apache Druid: Server-Side Request Forgery and Cross-Site Scripting

Vulnerability

Overview

CVE-2025-27888 is a server-side request forgery (SSRF) vulnerability in Apache Druid that also encompasses cross-site scripting (XSS) and open redirect flaws. The root cause is improper input neutralization within Druid's management proxy, which is enabled by default in out-of-the-box configurations. A specially crafted URL can be used to redirect requests to an arbitrary server, leading to potential XSS or cross-site request forgery (XSRF) attacks [1][3].

Exploitation

Conditions

The vulnerability requires the attacker to be authenticated to the Druid instance. The management proxy, which is the attack surface, is enabled by default. An attacker who is authenticated can craft a malicious URL that, when processed by the proxy, redirects the request to an attacker-controlled server [1][3]. This setup does not require any additional privileges beyond authentication.

Impact

Successful exploitation could allow an attacker to perform XSS attacks by injecting malicious scripts into web pages generated by Druid, or to conduct XSRF attacks by tricking users into performing unintended actions. The SSRF aspect may also allow the attacker to probe internal network resources or access sensitive data indirectly. The overall severity is rated as medium (CVSS 5.8) / important [1].

Mitigation

Apache has released Druid 31.0.2 and Druid 32.0.1, which fix the issue. Users are strongly recommended to upgrade to these versions [1][3][4]. As a workaround, the management proxy can be disabled, which mitigates the vulnerability at the cost of losing some web console features (core functionality remains unaffected) [1][3]. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication.