CVE-2025-55039

CWE-326 CWE-3475 documents5 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 82.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Spark Apache Spark

Timeline

PublishedOct 15

Latest updateJan 15

Description

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This vulnerability allows a man-in-t…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages4 packages

▶Mavenorg.apache.spark:spark-network-common_2.123.5.0 — 3.5.2+1

▶Mavenorg.apache.spark:spark-network-common_2.133.5.0 — 3.5.2+1

▶NVDapache/spark3.5.0 — 3.5.2+1

▶CVEListV5apache_software_foundation/apache_spark3.5.0 — 3.5.2+1

🔴Vulnerability Details

GHSA

Apache Spark has Inadequate Encryption Strength↗2025-10-15

▶

OSV

Apache Spark has Inadequate Encryption Strength↗2025-10-15

▶

CVEList

Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks↗2025-10-15

▶

📋Vendor Advisories

Oracle

Oracle Oracle GoldenGate Risk Matrix: General (Apache Spark) — CVE-2025-55039↗2026-01-15

▶