Server-side Request Forgery (SSRF) Affecting org.apache.druid:druid-server package, versions [,31.0.2)[32.0.0,32.0.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGAPACHEDRUID-9510945
- published23 Mar 2025
- disclosed20 Mar 2025
- creditUnknown
Introduced: 20 Mar 2025
NewCVE-2025-27888 (opens in a new tab)How to fix?
Upgrade org.apache.druid:druid-server to version 31.0.2, 32.0.1 or higher.
Overview
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the concatenateForRewrite() method in JettyUtils when the management proxy is enabled - which it is in the default configuration. An attacker can manipulate the URL to redirect requests to an arbitrary server or execute scripts in the context of the user's session by supplying a malicious URL.
Workaround
This vulnerability can be avoided by disabling the management proxy (setting druid.router.managementProxy.enabled = false on the Router), or by blocking paths beginning with /druid/indexer, /druid/coordinator, and /proxy at the Router.