Vulnerability in Apache Spark with Insecure Default Network Encryption
CVE-2025-55039
Currently unrated
What is CVE-2025-55039?
Apache Spark versions prior to 4.0.0, 3.5.2, and 3.4.4 are vulnerable due to the use of an insecure default cipher for RPC communication. When the network encryption feature is enabled without explicit configuration of the cipher, Spark defaults to using AES in CTR mode, which allows a man-in-the-middle attacker to tamper with encrypted RPC traffic undetected. This can potentially compromise both heartbeat messages and application data, undermining the integrity of Spark workflows. Users are advised to configure spark.network.crypto.cipher to AES/GCM/NoPadding for authenticated encryption or enable SSL encryption.
Affected Version(s)
Apache Spark 3.5.0 < 3.5.2
Apache Spark 0 < 3.4.4
Apache Spark 3.5.0 < 3.5.2