Home > Vulnerability Database > CVE-2025-68637

Mend.io Vulnerability Database

CVE-2025-68637

Good to know:

Date: January 7, 2026

The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue.

Severity Score

9.1

Related Resources (5)

Url: https://seclists.org/oss-sec/2025/q4/294

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68637

Url: http://www.openwall.com/lists/oss-security/2025/12/27/2

Url: https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v

Url: https://www.mend.io/vulnerability-database/CVE-2025-68637

Severity Score

9.1

Weakness Type (CWE)

Improper Validation of Certificate with Host Mismatch

CWE-297

Top Fix

Upgrade Version

Upgrade to version https://github.com/apache/uniffle.git - v0.10.0-rc1

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68637

Good to know:

Date: January 7, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?