Sign In

CVE-2025-55039

📊 6.5 MEDIUM0.1%🎯 0 exploits
📅 Published Oct 15, 2025
📋 Status: Analyzed

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.

🎯 Affected Products & Systems

2 product configurations affected

Filter by type:
📱
apache / spark
Application
Vulnerable
Version: < 3.4.4
CPE:
cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
📱
apache / spark
Application
Vulnerable
Version: ≥ 3.5.0 ∧ < 3.5.2
CPE:
cpe:2.3:a:apache:spark:*:*:*:*:*:*:*:*
Metrics
6.5 MEDIUMCVSS v3.1134c704f-9b21-4f2e-91b3-4a467353bcc0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector:
NETWORK
Complexity:
LOW
Privileges:
NONE
User Interaction:
NONE
Confidentiality:
LOW
Integrity:
LOW
Availability:
NONE
Scope:
UNCHANGED

🔍 Technical Details

Analysis Status
Analyzed
CVSS Details
6.5 (MEDIUM)v3.1
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
EPSS Details
0.1% (Minimal)15.8th percentile
Last updated: Oct 31, 2025
Exploitation probability within 30 days
Published Date
Oct 15, 2025 (18 days ago)
Last Modified
Oct 20, 2025 (13 days ago)
Security Weaknesses2
References2