High
CVE-2025-54920
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier vers…
Tag: Apache Spark
All CVEs associated with "Apache Spark". Page 1/1 • 18 CVEs.
About “Apache Spark”
A curated feed of “Apache Spark”-related CVEs appears below. We currently track 18 CVEs for this tag (all time). In the last 365 days, 3 were published. Average CVSS is 7.3 (all time; 7.2 over 365d), and 50% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-502 - Deserialization of Untrusted Data, CWE-20 - Improper Input Validation, CWE-326 - Inadequate Encryption Strength.
In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: apache-spark
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 4.1 | 4.1.2 | |||
| 4.0 | 4.0.2 | Soon | ||
| 3.5 | 3.5.8 | LTS | ||
| 3.4 | 3.4.4 | Expired | ||
| 3.3 | 3.3.4 | Expired | ||
| 3.2 | 3.2.4 | Expired | ||
| 3.1 | 3.1.3 | Expired | ||
| 3.0 | 3.0.3 | Expired | ||
| 2.4 | 2.4.8 | Expired | LTS | |
| 2.3 | 2.3.4 | Expired | ||
| 2.2 | 2.2.3 | Expired | ||
| 2.1 | 2.1.3 | Expired | ||
| 2.0 | 2.0.2 | Expired | ||
| 1.6 | 1.6.3 | Expired | ||
| 1.5 | 1.5.2 | Expired | ||
| 1.4 | 1.4.1 | Expired | ||
| 1.3 | 1.3.1 | Expired | ||
| 1.2 | 1.2.2 | Expired | ||
| 1.1 | 1.1.1 | Expired | ||
| 1.0 | 1.0.2 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “Apache Spark” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-03-16
2026-03-13
Medium
CVE-2025-60012
Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a S…
2025-10-15
Medium
CVE-2025-55039
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication…
2024-12-23
Medium
CVE-2024-23945
Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying t…
2023-08-28
High
CVE-2023-40195
Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider…
2023-05-02
High
CVE-2023-32007
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has…
2023-04-17
Medium
CVE-2023-22946
In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitt…
2022-11-01
Medium
CVE-2022-31777
A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a ma…
2022-08-04
Critical
CVE-2022-25168
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemor…
2022-07-18
High
CVE-2022-33891
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or m…
2022-03-10
High
CVE-2021-38296
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication prot…
2020-06-23
Critical
CVE-2020-9480
In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-craf…
2018-11-19
Critical
CVE-2018-17190
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute…
2018-08-13
Medium
CVE-2018-11770
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'sp…
2018-07-12
Medium
CVE-2018-8024
In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tric…
Medium
CVE-2018-1334
In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running…
2017-09-13
High
CVE-2017-12612
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentiall…
2017-07-12
Medium
CVE-2017-7678
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits dat…