CVE-2025-59060 Overview
CVE-2025-59060 is a hostname verification bypass vulnerability in Apache Ranger's NiFiRegistryClient and NiFiClient components. The flaw affects Apache Ranger versions up to and including 2.7.0. The issue stems from improper certificate validation [CWE-297], allowing a network attacker positioned between Ranger and NiFi services to present a certificate that is not validated against the expected hostname.
The vulnerability impacts confidentiality of data exchanged between Ranger and NiFi components but does not affect integrity or availability. Apache addressed the issue in Apache Ranger version 2.8.0.
Critical Impact
A network-positioned attacker can intercept communications between Apache Ranger and NiFi services by presenting a certificate trusted by the JVM truststore but not matching the intended hostname, exposing policy and audit data.
Affected Products
- Apache Ranger versions <= 2.7.0
- Apache Ranger NiFiRegistryClient component
- Apache Ranger NiFiClient component
Discovery Timeline
- 2026-03-03 - CVE-2025-59060 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2025-59060
Vulnerability Analysis
The vulnerability is classified under [CWE-297]: Improper Validation of Certificate with Host Mismatch. Apache Ranger uses NiFiRegistryClient and NiFiClient to communicate with Apache NiFi services over TLS. These clients establish HTTPS connections to retrieve resource metadata used in policy authorization decisions.
The affected clients perform TLS certificate chain validation but fail to verify that the certificate's Common Name or Subject Alternative Name matches the target hostname. An attacker holding any certificate signed by a trusted certificate authority in the JVM truststore can impersonate the NiFi or NiFi Registry endpoint.
The impact is limited to information disclosure. The CVSS vector reflects low confidentiality impact with no integrity or availability consequences. Data exposed may include NiFi resource identifiers and metadata retrieved during policy synchronization.
Root Cause
The root cause is the absence of a hostname verifier on the HTTPS client implementations within NiFiRegistryClient and NiFiClient. Standard Java SSL clients require explicit configuration of a HostnameVerifier or use of an SSLConnectionSocketFactory with default hostname verification enabled. The affected Ranger clients omit this verification step.
Attack Vector
Exploitation requires a network position between the Apache Ranger service and the NiFi or NiFi Registry endpoint. The attacker must possess a valid certificate trusted by Ranger's JVM truststore. The attacker redirects traffic to a malicious endpoint that presents this certificate. Because hostname verification is disabled, the TLS handshake succeeds and Ranger transmits client requests to the attacker.
The vulnerability mechanism is described in the Apache Security Discussion Thread and the Openwall OSS Security Update. No public proof-of-concept code is available.
Detection Methods for CVE-2025-59060
Indicators of Compromise
- Unexpected TLS connections from Apache Ranger hosts to IP addresses that do not match configured NiFi or NiFi Registry endpoints.
- Certificate fingerprints in Ranger TLS logs that differ from the expected NiFi service certificate fingerprint.
- DNS resolution anomalies for NiFi service hostnames originating from Ranger admin hosts.
Detection Strategies
- Compare the running Apache Ranger version against 2.8.0 using package inventory or the Ranger admin UI to identify vulnerable deployments.
- Inspect network flows between Ranger and NiFi services for connections crossing unexpected network boundaries or transiting unmanaged segments.
- Enable TLS handshake logging on Ranger admin services and audit presented certificate Subject and SAN fields against expected values.
Monitoring Recommendations
- Monitor ARP and DNS infrastructure on subnets hosting Ranger and NiFi for spoofing or poisoning activity.
- Alert on changes to the JVM cacerts truststore on Ranger hosts that could introduce attacker-controlled CA certificates.
- Log and review all outbound HTTPS connections from Ranger services using network telemetry or host-based flow collection.
How to Mitigate CVE-2025-59060
Immediate Actions Required
- Upgrade Apache Ranger to version 2.8.0 or later, which restores hostname verification in the affected clients.
- Inventory all Ranger deployments and confirm whether the NiFi or NiFi Registry plugins are configured and actively communicating.
- Audit the JVM truststore used by Ranger and remove any certificate authorities that are not required for production operation.
Patch Information
Apache Ranger version 2.8.0 resolves the hostname verification bypass. Operators running version 2.7.0 or earlier should plan the upgrade according to the project release notes. Refer to the Apache Security Discussion Thread for the official advisory.
Workarounds
- Restrict network paths between Apache Ranger and NiFi services to dedicated VLANs or private subnets that exclude untrusted hosts.
- Pin the NiFi service certificate within network controls and alert on deviation if upgrade is not immediately possible.
- Use mutual TLS authentication between Ranger and NiFi endpoints to require client certificate validation in addition to server identity checks.
# Verify installed Apache Ranger version
rpm -qa | grep ranger
# Or for tarball installs
cat /opt/ranger/version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
