CVE-2025-54920: Apache Spark: Spark History Server Code Execution Vulnerability

March 16, 2026 (updated March 17, 2026)

Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.

References

github.com/advisories/GHSA-jwp6-cvj8-fw65
github.com/apache/spark
github.com/apache/spark/pull/51312
github.com/apache/spark/pull/51323
issues.apache.org/jira/browse/SPARK-52381
lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s
nvd.nist.gov/vuln/detail/CVE-2025-54920

Code Behaviors & Features

Detect and mitigate CVE-2025-54920 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →