cbcvebase.
CVE-2025-54920
published 2026-03-16

CVE-2025-54920: This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
5.34%
91.6th percentile
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server. Details The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization. The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability. Proof of Concept: 1. Run Spark with event logging enabled, writing to a writable directory (spark-logs). 2. Inject the following JSON at the beginning of an event log file: { "Event": "org.apache.hive.jdbc.HiveConnection", "uri": "jdbc:hive2://:/", "info": { "hive.metastore.uris": "thrift://:" } } 3. Start the Spark History Server with logs pointing to the modified directory. 4. The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection. Impact An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the ent

Affected

5 ranges
VendorProductVersion rangeFixed in
apachespark< 3.5.73.5.7
apachespark
apachespark
apache_software_foundationapache_spark< 3.5.73.5.7
apache_software_foundationapache_spark>= 4.0.0 < 4.0.14.0.1

Detection & IOCsextracted from sources · hover to see the quote

other{"Event": "org.apache.hive.jdbc.HiveConnection", "uri": "jdbc:hive2://:/", "info": {"hive.metastore.uris": "thrift://:"}}
processorg.apache.hive.jdbc.HiveConnection
  • Monitor Spark event log files for JSON entries where the 'Event' field contains a fully-qualified Java class name other than expected SparkListenerEvent subclasses (e.g., 'org.apache.hive.jdbc.HiveConnection'). This indicates exploitation of the Jackson polymorphic deserialization gadget.
  • Inspect event log files in the configured spark-logs directory for injected JSON payloads at the beginning of log files, particularly those containing 'jdbc:hive2://' or 'thrift://' URI schemes in the 'uri' or 'hive.metastore.uris' fields.
  • Detect exploitation by monitoring for unexpected class instantiation during Spark History Server startup or event log loading — specifically any class not in the org.apache.spark.scheduler namespace being deserialized as a SparkListenerEvent.
  • ·The vulnerability is only exploitable by an attacker who already has write access to the Spark event logs directory. Restricting filesystem permissions on the spark-logs directory is a critical hardening step.
  • ·The root cause is the use of @JsonTypeInfo.Id.CLASS in Jackson deserialization of SparkListenerEvent objects. Deployments using affected versions (Apache Spark before 3.5.7 and 4.0.1) with a publicly or broadly writable event log directory are at highest risk.
  • ·Red Hat has deferred fixes for spark-core_2.11 (Red Hat Fuse 7) and rhoai/odh-mlflow-rhel9 (Red Hat OpenShift AI). No mitigation meeting Red Hat's criteria is currently available for these packages.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.