Deserialization in Apache Software Foundation Spark

CVE-2025-54920

This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerabil…

Vulnerability class: Insecure Deserialization

EPSS: 0.005 (65.7th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Spark — versions 0, 4.0.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

github.com/apache/spark/pull/51312 (patch)
github.com/apache/spark/pull/51323 (patch)
issues.apache.org/jira/browse/SPARK-52381 (issue-tracking)
lists.apache.org/thread/4y9n0nfj7m68o2hpmoxgc0y7dm1lo02s (vendor-advisory)