CVE-2025-55039

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-55039
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55039.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-55039
Aliases
Published
2025-10-15T08:15:38.460Z
Modified
2026-05-20T08:11:31.637715612Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0.

Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.

When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.

This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.

To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or

enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.

References

Affected packages

Git / github.com/apache/spark

Affected ranges

Type
GIT
Repo
https://github.com/apache/spark
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6729992c76fc59ab07f63f97a9858691274447d0
Introduced
ce5ddad990373636e94071e7cef2f31021add07b
Fixed
bb7846dd487f259994fdc69e18e03382e3f64f42
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.4.4"
        },
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.2"
        }
    ]
}

Affected versions

0.*
0.3-scala-2.8
alpha-0.*
alpha-0.2
v0.*
v0.6.0
v0.7.0
v3.*
v3.0.0-preview
v3.0.0-preview-rc1
v3.0.0-preview-rc2
v3.4.0
v3.4.0-rc1
v3.4.0-rc2
v3.4.0-rc4
v3.4.0-rc5
v3.4.0-rc6
v3.4.0-rc7
v3.4.1
v3.4.1-rc1
v3.4.2
v3.4.2-rc1
v3.4.3
v3.4.3-rc1
v3.4.3-rc2
v3.5.0
v3.5.0-rc5
v3.5.1
v3.5.1-rc1
v3.5.1-rc2
v3.5.2-rc1
v3.5.2-rc2
v3.5.2-rc3
v3.5.2-rc4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55039.json"