SB2026012083 - Multiple vulnerabilities in Stream Analytics
Published: January 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Uncontrolled Recursion (CVE-ID: CVE-2025-48924)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. A remote attacker can trigger uncontrolled recursion and perform a denial of service (DoS) attack.
2) Inadequate Encryption Strength (CVE-ID: CVE-2025-55039)
CWE-ID: CWE-326 - Inadequate Encryption Strength
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the use of an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. A remote man-in-the-middle attacker can modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.
Remediation
Install update from vendor's website.