CVE-2025-54947: Apache StreamPark has a hard-coded encryption key

December 12, 2025

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.

This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.

Users are recommended to upgrade to version 2.1.7, which fixes the issue.

References

github.com/advisories/GHSA-prv5-c2px-j9q3
github.com/apache/streampark
github.com/apache/streampark/commit/39034db0c806168afa82e58e4f376e1e3c3b73e4
lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1
nvd.nist.gov/vuln/detail/CVE-2025-54947

Code Behaviors & Features

Detect and mitigate CVE-2025-54947 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →