CVE-2025-54920

Name of the Vulnerable Software and Affected Versions Apache Spark versions prior to 3.5.7 and 4.0.1

Description Apache Spark 3.5.4 and earlier versions contain a code execution issue in the Spark History Web UI. This is due to overly permissive Jackson deserialization of event log data. An attacker who can write to the Spark event logs directory can inject malicious JSON payloads. These payloads trigger the deserialization of arbitrary classes, potentially allowing command execution on the host running the Spark History Server. The vulnerability stems from the use of Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, which allows attackers to specify arbitrary class names within the event JSON. This enables the instantiation of unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can then perform network calls or other malicious actions during deserialization. An attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server deserializes when starting up or loading event logs. For example, an attacker could force the History Server to open a JDBC connection to a remote, attacker-controlled server, demonstrating remote command injection. An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.

Recommendations Upgrade to Apache Spark version 3.5.7 or 4.0.1, or a later version, to resolve this issue.