CVE-2025-54920
Code Execution vulnerability in spark-core_2.13 (Maven)
What is CVE-2025-54920 About?
Apache Spark's History Web UI is vulnerable to remote code execution due to overly permissive Jackson deserialization of event log data. An attacker with access to Spark event logs can inject malicious JSON payloads, triggering arbitrary class deserialization and enabling command execution. This vulnerability presents a high impact and can be exploited with moderate effort.
Affected Software
- org.apache.spark:spark-core_2.13
- >=4.0.0, <4.0.1
- <3.5.7
- org.apache.spark:spark-core_2.12
- <3.5.7
- org.apache.spark:spark-core_2.11
- <=2.4.8
- org.apache.spark:spark-core_2.10
- <=2.2.3
- org.apache.spark:spark-core_2.9.3
- <=0.8.1-incubating
Technical Details
The vulnerability stems from the Spark History Server's use of Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects. This allows an attacker to specify arbitrary class names in the event JSON. By injecting crafted JSON content, such as org.apache.hive.jdbc.HiveConnection with a malicious uri and info that points to an attacker-controlled server, the History Server, upon deserialization, attempts to instantiate the specified class. This can lead to unintended actions, like making network calls, effectively allowing remote command injection and code execution.
What is the Impact of CVE-2025-54920?
Successful exploitation may allow attackers to execute arbitrary code on the server, gain full control of the affected system, and compromise sensitive data, leading to severe system impact.
What is the Exploitability of CVE-2025-54920?
Exploitation requires an attacker to have write access to the Spark event logs directory. Once access is gained, a specially crafted JSON payload needs to be injected into an event log file. No authentication to the History Server itself is required for the deserialization to occur when the server loads the compromised log. The attack is local in terms of file system access but can lead to remote code execution. Prerequisites include the ability to write to the log directory. The complexity is moderate, involving knowledge of Jackson deserialization gadgets. The primary risk factors are the permissive deserialization and the ability of an attacker to compromise the event log storage.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-54920?
Available Upgrade Options
- org.apache.spark:spark-core_2.12
- <3.5.7 → Upgrade to 3.5.7
- org.apache.spark:spark-core_2.13
- <3.5.7 → Upgrade to 3.5.7
- org.apache.spark:spark-core_2.13
- >=4.0.0, <4.0.1 → Upgrade to 4.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/spark/pull/51323
- https://github.com/apache/spark/pull/51312
- https://github.com/apache/spark/pull/51323
- https://github.com/apache/spark/pull/51312
- http://www.openwall.com/lists/oss-security/2026/03/13/4
- https://nvd.nist.gov/vuln/detail/CVE-2025-54920
- https://issues.apache.org/jira/browse/SPARK-52381
- https://osv.dev/vulnerability/GHSA-jwp6-cvj8-fw65
- https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s
- https://github.com/apache/spark
What are Similar Vulnerabilities to CVE-2025-54920?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-44228 , CVE-2021-21390 , CVE-2020-9484 , CVE-2017-7657
