CVE-2025-27888: Apache Druid Flaw Opens Door to SSRF and XSS Risks in Real-Time Analytics Platforms
do son 
Apache has disclosed a critical security vulnerability in Apache Druid, a real-time analytics database widely used for powering OLAP dashboards and fast aggregation APIs.
The issue, tracked as CVE-2025-27888, affects Apache Druid versions prior to 31.0.2 and 32.0.1, and is classified as a combination of Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and Open Redirect vulnerabilities.
“When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead.”
Although an attacker must be authenticated to exploit the flaw, the risk is magnified by the fact that the management proxy is enabled by default in Druid’s out-of-the-box configuration. Successful exploitation could lead to redirection to malicious websites, token theft, or even cross-site request forgery (XSRF).
Apache Druid is an open-source, column-oriented, distributed data store designed for real-time ingestion and high-speed querying of event-driven data. It’s often used to power interactive dashboards, time-series visualizations, and analytics GUIs.
This vulnerability impacts all deployments where the management proxy is left enabled — a common scenario due to its default state. While disabling the proxy mitigates the risk, doing so may break some web console features.
“If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.”
Organizations with multi-user environments or external access to the Druid UI should be especially cautious, as authenticated attackers could abuse this flaw to redirect users to phishing pages or inject malicious scripts.
The Apache Software Foundation recommends all users upgrade to Druid 31.0.2 or 32.0.1 to fully mitigate CVE-2025-27888.
