What is CVE-2025-55039?

CVE-2025-55039 is a medium-severity vulnerability in Apache Spark, classified under Inadequate Encryption Strength. CVSS score: 6.5/10. Published 2025-10-15.

How severe is CVE-2025-55039?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Vulnerability in Apache Spark

CVE-2025-55039

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes. When spark.network.cryp…

EPSS: 0.002 (12.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.

Affected products

Apache Spark
Apache Software Foundation Spark — versions 3.5.0, 0

Weakness classification (CWE)

CWE-326 — Inadequate Encryption Strength
CWE-347 — Improper Verification of Cryptographic Signature

References

security@apache.org (vendor-advisory, Mailing List, Vendor Advisory)
af854a3a-2127-422b-91ae-364da2661108

Frequently asked questions

What is CVE-2025-55039?: CVE-2025-55039 is a medium-severity vulnerability in Apache Spark, classified under Inadequate Encryption Strength. CVSS score: 6.5/10. Published 2025-10-15.
How severe is CVE-2025-55039?: Medium severity. CVSS v3 base score is 6.5 out of 10.