CVE-2025-54920Deserialization of Untrusted Data in Software Foundation Apache Spark

CWE-502Deserialization of Untrusted DataCWE-94Code Injection6 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.7%
top 27.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SparkApache Spark
Timeline
PublishedMar 16

Description

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDapache/spark< 3.5.7+2
CVEListV5apache_software_foundation/apache_spark4.0.04.0.1+1

🔴Vulnerability Details

3
GHSA
Apache Spark: Spark History Server Code Execution Vulnerability2026-03-16
OSV
Apache Spark: Spark History Server Code Execution Vulnerability2026-03-16
CVEList
Apache Spark: Spark History Server Code Execution Vulnerability2026-03-14

📋Vendor Advisories

1
Red Hat
org.apache.spark/spark-core: Apache Spark: Spark History Server Code Execution Vulnerability2026-03-14

🕵️Threat Intelligence

1
Wiz
CVE-2025-54920 Impact, Exploitability, and Mitigation Steps | Wiz