The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54920

CVE-2025-54920: Apache Spark RCE Vulnerability

CVE-2025-54920 is a remote code execution flaw in Apache Spark affecting versions before 3.5.7 and 4.0.1. Attackers can exploit insecure Jackson deserialization to execute arbitrary code on the History Server.

Published: March 20, 2026

CVE-2025-54920 Overview

CVE-2025-54920 is a critical insecure deserialization vulnerability affecting Apache Spark versions prior to 3.5.7 and 4.0.1. The vulnerability exists in the Spark History Web UI due to overly permissive Jackson deserialization of event log data. This flaw allows an attacker with access to the Spark event logs directory to inject malicious JSON payloads that trigger deserialization of arbitrary classes, enabling command execution on the host running the Spark History Server.

Critical Impact

An attacker with write access to Spark event logs can execute arbitrary code on the server running the History Server, potentially compromising the entire system and all data processing workloads.

Affected Products

  • Apache Spark versions before 3.5.7
  • Apache Spark versions before 4.0.1
  • Spark History Server deployments with writable event log directories

Discovery Timeline

  • 2026-03-16 - CVE-2025-54920 published to NVD
  • 2026-03-17 - Last updated in NVD database

Technical Details for CVE-2025-54920

Vulnerability Analysis

The vulnerability arises because the Spark History Server uses Jackson polymorphic deserialization with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects. This configuration allows an attacker to specify arbitrary class names in the event JSON, permitting the instantiation of unintended classes during the deserialization process.

When the History Server starts up or loads event logs, it processes JSON content from the event log files. If an attacker has write access to these files, they can inject crafted JSON payloads that force the server to instantiate dangerous classes such as org.apache.hive.jdbc.HiveConnection. This particular gadget class can perform network calls or other malicious actions during deserialization, effectively providing a path to remote code execution.

The exploitation scenario involves the attacker forcing the History Server to open a JDBC connection to a remote attacker-controlled server, demonstrating remote command injection capability. This is classified as CWE-502 (Deserialization of Untrusted Data).

Root Cause

The root cause is the use of Jackson's polymorphic deserialization feature with the @JsonTypeInfo.Id.CLASS annotation without proper type filtering or allowlisting. This configuration trusts the Event field in JSON payloads to specify class names, allowing instantiation of any class available on the classpath. The lack of restrictions on which classes can be deserialized creates a classic insecure deserialization attack surface.

Attack Vector

The attack is network-based and requires low-privilege access (write access to the Spark event logs directory). The attacker exploits the vulnerability by:

  1. Gaining write access to the Spark event logs directory (often configured as a shared storage location)
  2. Injecting malicious JSON content at the beginning of an event log file
  3. Waiting for the Spark History Server to start or reload event logs
  4. The server deserializes the malicious payload, triggering instantiation of attacker-specified classes

The proof of concept demonstrates injection of a HiveConnection object that initiates an outbound JDBC connection to an attacker-controlled server. The malicious JSON payload specifies the Hive JDBC driver class with attacker-controlled connection URIs, which establishes network connectivity to external hosts upon deserialization.

Detection Methods for CVE-2025-54920

Indicators of Compromise

  • Unexpected outbound network connections from the Spark History Server to external hosts on JDBC or Thrift ports
  • Unusual Event type entries in Spark event log files referencing classes outside org.apache.spark.scheduler namespace
  • Event log files containing references to org.apache.hive.jdbc.HiveConnection or similar JDBC driver classes
  • Modifications to event log files with timestamps not correlating to actual Spark application runs

Detection Strategies

  • Monitor Spark event log files for unexpected class references in the Event field using file integrity monitoring
  • Implement network egress filtering to detect and block outbound JDBC connections from History Server hosts
  • Deploy SentinelOne to detect suspicious process behavior and anomalous network activity from Java processes
  • Review Spark History Server logs for deserialization errors or unexpected class loading exceptions

Monitoring Recommendations

  • Enable comprehensive logging for the Spark History Server and correlate with network flow data
  • Configure alerts for any outbound connections from History Server hosts to non-approved destinations
  • Implement file integrity monitoring on Spark event log directories to detect unauthorized modifications
  • Use SentinelOne's behavioral AI to identify post-exploitation activities following potential deserialization attacks

How to Mitigate CVE-2025-54920

Immediate Actions Required

  • Upgrade Apache Spark to version 3.5.7 or 4.0.1 or later immediately
  • Restrict write access to Spark event log directories using filesystem permissions
  • Implement network segmentation to limit outbound connectivity from Spark History Server hosts
  • Review existing event log files for signs of tampering or malicious content

Patch Information

Apache has released security patches addressing this vulnerability. Users should upgrade to Apache Spark version 3.5.7 for the 3.x branch or version 4.0.1 for the 4.x branch. The fix restricts which classes can be instantiated during Jackson deserialization of event log data. For detailed patch information, see the GitHub Pull Request 51312 and GitHub Pull Request 51323. Additional details are available in Apache JIRA Issue SPARK-52381 and the Apache Mailing List Thread.

Workarounds

  • Configure strict filesystem permissions on Spark event log directories to prevent unauthorized write access
  • Deploy the Spark History Server in an isolated network segment with restricted outbound connectivity
  • If upgrading is not immediately possible, consider temporarily disabling the Spark History Server until patches can be applied
  • Implement egress firewall rules blocking JDBC and Thrift protocol connections from History Server hosts
bash
# Configuration example - Restrict event log directory permissions
chmod 750 /path/to/spark-logs
chown spark:spark /path/to/spark-logs

# Verify no unauthorized modifications to event logs
find /path/to/spark-logs -type f -mtime -1 -exec ls -la {} \;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechApache Spark
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability0.17%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-502
  • Technical References
  • GitHub Pull Request 51312
  • GitHub Pull Request 51323
  • Apache JIRA Issue SPARK-52381
  • Apache Mailing List Thread
  • Openwall OSS Security Update
  • Related CVEs
  • CVE-2022-33891: Apache Spark UI ACL Bypass RCE Vulnerability
  • CVE-2023-32007: Apache Spark RCE Vulnerability
  • CVE-2021-38296: Apache Spark Information Disclosure Flaw
  • CVE-2020-9480: Apache Spark Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English