Apache Uniffle security advisories

Security information for Apache Uniffle

Reporting

Do you want disclose a potential security issue for Apache Uniffle? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Insecure SSL Configuration in Uniffle HTTP Client

CVE-2025-68637 [CVE] [CVE json] [OSV json]

Last updated: 2026-01-07T09:39:02.164Z

Affected

  • Apache Uniffle before 0.10.0

Description

The Uniffle HTTP client is configured to trust all SSL certificates and

disables hostname verification by default. This insecure configuration
exposes all REST API communication between the Uniffle CLI/client and the
Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks.

This issue affects all versions from before 0.10.0.

Users are recommended to upgrade to version 0.10.0, which fixes the issue.

References

Credits

  • omkar parkhe. (finder)