Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Apache Uniffle HTTP Client TLS Verification Bypass / MITM Exposure

IdentifiersCVE-2025-68637CWE-297· Improper Validation of Certificate…

CVE-2025-68637 is a critical vulnerability in Apache Uniffle affecting all versions prior to 0.10.0. The Uniffle HTTP client used by the CLI/client is configured insecurely by default to trust all SSL/TLS certificates and to disable hostname verification. As a result, REST API communications between the Uniffle CLI/client and the Uniffle Coordinator service are not properly authenticated at the TLS layer. This allows an attacker positioned on the network path to present an arbitrary certificate and impersonate the Coordinator service, enabling a man-in-the-middle attack against client-to-Coordinator traffic.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A successful exploit allows interception and tampering of REST API traffic between the Uniffle CLI/client and the Uniffle Coordinator. The primary impact is loss of confidentiality and integrity of those communications: an attacker can eavesdrop on sensitive data in transit, modify requests or responses, and potentially impersonate the Coordinator service to connected clients. The supplied content does not indicate a direct availability impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, avoid using affected Uniffle clients over untrusted or shared networks. Restrict client-to-Coordinator communication to trusted network paths such as private networking or VPNs, and apply compensating controls including network segmentation and monitoring to reduce exposure to on-path attackers. Where configurable, enforce proper certificate validation and hostname verification rather than trusting all certificates.

Remediation

Patch, then assume compromise.

Upgrade Apache Uniffle to version 0.10.0 or later. According to the provided advisory content, version 0.10.0 fixes the insecure HTTP client TLS behavior by correcting certificate trust handling and hostname verification.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Apache Software FoundationUniffleapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
cve detailsNews
Jan 16, 2026
Apache : Security vulnerabilities, CVEs

Insecure TLS configuration in Apache Uniffle HTTP client (trust-all certs and no hostname verification) enabling MITM of REST API traffic.

Read more
security online infoNews
Jan 12, 2026
CVE-2025-68637: Critical Apache Uniffle Flaw Exposes Clusters to Eavesdropping

A critical vulnerability in Apache Uniffle that exposes clusters to eavesdropping.

Read more
cvefeed high severityNews
Jan 11, 2026
CVE-2025-68493 - Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component

Unknown (only referenced as a high-severity Apache Uniffle issue; no technical details provided in the content).

Read more
cvefeed high severityNews
Jan 7, 2026
CVE-2025-68637 - Apache Uniffle: Insecure SSL Configuration in Uniffle HTTP Client

A critical insecure SSL configuration vulnerability in Apache Uniffle HTTP client, allowing Man-in-the-Middle (MITM) attacks due to trusting all certificates and disabling hostname verification.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-68637
NVD
nvd.nist.gov/vuln/detail/CVE-2025-68637
MITRE CWE · CWE-297
Improper Validation of Certificate with Host…
Vendor Advisory
lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v
Third Party Advisory
openwall.com/lists/oss-security/2025/12/27/2