CVE-2025-55039

MEDIUM

Apache Spark <4.0.0-3.5.2-3.4.4 - Info Disclosure

Title source: llm

Description

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq

[Mailing List] http://www.openwall.com/lists/oss-security/2025/10/14/11

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 17.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-326 CWE-347

Status published

Products (3)

apache/spark < 3.4.4

org.apache.spark/spark-network-common_2.12 0 - 3.4.4Maven

org.apache.spark/spark-network-common_2.13 3.5.0 - 3.5.2Maven

Published Oct 15, 2025

Tracked Since Feb 18, 2026