CVE-2025-54920

Опубликовано: 16 мар. 2026

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.

Summary

Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.

Details

The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.

Ссылки

https://github.com/apache/spark/pull/51312
Issue Tracking
https://github.com/apache/spark/pull/51323
Issue Tracking
https://issues.apache.org/jira/browse/SPARK-52381
Issue Tracking
https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s
Mitigation
Vendor Advisory
Exploit
http://www.openwall.com/lists/oss-security/2026/03/13/4
Mailing List
Third Party Advisory
Exploit

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*

Версия до 3.5.7 (исключая)

cpe:2.3:a:apache:spark:4.0.0:-:*:*:*:*:*:*

cpe:2.3:a:apache:spark:4.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:spark:4.0.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apache:spark:4.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:apache:spark:4.0.0:rc4:*:*:*:*:*:*

cpe:2.3:a:apache:spark:4.0.0:rc5:*:*:*:*:*:*

cpe:2.3:a:apache:spark:4.0.0:rc6:*:*:*:*:*:*

cpe:2.3:a:apache:spark:4.0.0:rc7:*:*:*:*:*:*

cpe:2.3:a:apache:spark:4.0.1:rc1:*:*:*:*:*:*

EPSS

Процентиль: 71%

0.00674

Низкий

8.8 High

CVSS3

Дефекты

CWE-502

Связанные уязвимости

CVE-2025-54920

CVSS3: 6.7

redhat

27 дней назад

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server. Details The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization. The attacker ...

GHSA-jwp6-cvj8-fw65

CVSS3: 8.8

github

24 дня назад

Apache Spark: Spark History Server Code Execution Vulnerability

BDU:2026-04646

CVSS3: 6.3

fstec

10 месяцев назад

Уязвимость функции spark-submit фреймворка Apache Spark, связанная с недостатками механизма десериализации, позволяющая нарушителю выполнять произвольные команды