CVE-2025-54920 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 17, 2026
Apache Spark - Remote Code Execution
Published: March 16, 2026Updated: March 17, 2026Remote Exploitable
Overview
Apache Spark < 3.5.7 and < 4.0.1 contains a remote code execution vulnerability caused by overly permissive Jackson deserialization of event log data in the Spark History Web UI, letting attackers with write access to event logs execute arbitrary code on the History Server host.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Attackers with write access to event logs can execute arbitrary code on the server running the Spark History Server, potentially compromising the entire system.
Mitigation
Upgrade to Apache Spark version 3.5.7, 4.0.1 or later.
References
Related Resources
Details
- CVE ID
- CVE-2025-54920
- Severity
- High
- CVSS Score
- 8.8
- Type
- insecure_deserialization
- Status
- unconfirmed
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H