CVE-2025-68637

EUVD-2026-1226
The Uniffle HTTP client is configured to trust all SSL certificates and

disables hostname verification by default. This insecure configuration
exposes all REST API communication between the Uniffle CLI/client and the
Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks.


This issue affects all versions from before 0.10.0.

Users are recommended to upgrade to version 0.10.0, which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
apacheuniffle
𝑥
< 0.10.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v
http://www.openwall.com/lists/oss-security/2025/12/27/2