CVE-2025-55039

Oct. 15, 2025, 8:15 p.m.

6.5
Medium

Description

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.

Product(s) Impacted

Vendor Product Versions
Apache
  • Spark
  • <3.4.4, <3.5.2, <4.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-326
Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a apache spark <3.4.4 / / / / / / /
a apache spark <3.5.2 / / / / / / /
a apache spark <4.0.0 / / / / / / /

References

https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq

Tags

security@apache.org
CWE-326
2025-10-15
CVE-2025-55039

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: Oct. 15, 2025, 8:15 a.m.
Last Modified: Oct. 15, 2025, 8:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.