Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Description

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0.

Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.

When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.

This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.

To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or

enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.

Basic Information

ID CVE-2025-55039

Source apache

Published Oct 15, 2025 at 07:19

Modified Oct 15, 2025 at 19:33

Affected Product

Vendor Apache Software Foundation

Product Apache Spark

Version 3.5.0

Affected Versions Apache Software Foundation Apache Spark 3.5.0
Apache Software Foundation Apache Spark 0
Apache Software Foundation Apache Spark 3.5.0
Apache Software Foundation Apache Spark 0

CWE Classification

CWE-347 CWE-326

References

lists.apache.org /thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq

{
    "lastseen": "",
    "description": "This issue affects Apache Spark versions before  3.4.4,\u00a03.5.2 and 4.0.0.\n\n\n\nApache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.\n\nWhen spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.\n\nThis vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.\n\n\nTo mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or\n\nenable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.",
    "published": "2025-10-15T07:19:25.493Z",
    "modified": "2025-10-15T19:33:31.064Z",
    "type": "cve",
    "title": "Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks",
    "source": "apache",
    "references": "https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq",
    "id": "CVE-2025-55039",
    "bulletinFamily": "",
    "cwe": [
        "CWE-347",
        "CWE-326"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Spark 3.5.0\nApache Software Foundation Apache Spark 0\nApache Software Foundation Apache Spark 3.5.0\nApache Software Foundation Apache Spark 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Spark",
    "version": "3.5.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks_CVE-2025-55039