Main Vulnerability Database Vulnerabilities #VU118716

Inadequate Encryption Strength in Apache Spark - CVE-2025-55039

Published: November 24, 2025 / Updated: November 28, 2025

Vulnerability identifier: #VU118716

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-55039

CWE-ID: CWE-326

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Spark

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the use of an insecure default network encryption cipher for RPC communication between nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. A remote man-in-the-middle attacker can modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.

How to mitigate CVE-2025-55039

Install updates from vendor's website.

Inadequate Encryption Strength in Apache Spark - CVE-2025-55039

Detailed vulnerability description

How to mitigate CVE-2025-55039

Sources

Please verify you're human