Code Execution Vulnerability in Apache Spark History Server
CVE-2025-54920

8.8HIGH

Key Information:

Vendor

Apache
Status
Apache Spark
Vendor
CVE Published:
14 March 2026

What is CVE-2025-54920?

The Spark History Server in Apache Spark versions prior to 3.5.7 and 4.0.1 is susceptible to a code execution vulnerability due to overly permissive Jackson deserialization of event log data. Attackers with access to the event logs directory can inject malicious JSON payloads into the event log files. This exploitation allows deserialization of arbitrary classes, potentially leading to unauthorized command execution on the server where the History Server operates. To mitigate this risk, it is crucial for users to upgrade to version 3.5.7 or 4.0.1 and above, which incorporate necessary security enhancements.

Affected Version(s)

Apache Spark 0 < 3.5.7

Apache Spark 4.0.0 < 4.0.1

References

https://github.com/apache/spark/pull/51312
patch
https://github.com/apache/spark/pull/51323
patch
https://issues.apache.org/jira/browse/SPARK-52381
issue-tracking

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alexandre Pujol (Linagora)
.