Main Vulnerability Database Vulnerabilities #VU118716

#VU118716 Inadequate Encryption Strength in Apache Spark - CVE-2025-55039

Published: November 24, 2025 / Updated: November 28, 2025

Vulnerability identifier: #VU118716

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-55039

CWE-ID: CWE-326

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Spark

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the use of an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. A remote man-in-the-middle attacker can modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.

Remediation

Install updates from vendor's website.

#VU118716 Inadequate Encryption Strength in Apache Spark - CVE-2025-55039

Description

Remediation

External links

Please verify you're human