CVE-2025-54920 is a critical deserialization of untrusted data vulnerability (CWE-502) found in Apache Spark versions prior to 3.5.7 and 4.0.1, specifically affecting the Spark History Server component. The root cause is the use of Jackson's polymorphic deserialization with the @JsonTypeInfo.Id.CLASS annotation on SparkListenerEvent objects, which allows JSON input to specify arbitrary Java class names for deserialization. This design flaw enables an attacker who has write access to the Spark event logs directory to inject malicious JSON payloads into event log files. When the Spark History Server loads these logs, it deserializes the crafted JSON, instantiating arbitrary classes such as org.apache.hive.jdbc.HiveConnection. This class can perform network operations, allowing the attacker to force the History Server to connect to attacker-controlled servers, effectively achieving remote code execution on the host. The vulnerability requires the attacker to have write permissions to the event log directory but does not require user interaction or elevated privileges beyond that. The exploit scenario involves injecting a JSON snippet at the start of an event log file, then restarting or loading logs in the History Server, triggering the malicious deserialization. The vulnerability impacts confidentiality, integrity, and availability, as arbitrary code execution can lead to full system compromise. The Apache Software Foundation has addressed this issue in versions 3.5.7 and 4.0.1 by restricting deserialization behavior. No public exploits have been reported yet, but the high CVSS score of 8.8 reflects the severity and ease of exploitation given write access.

The impact of CVE-2025-54920 is significant for organizations using vulnerable Apache Spark versions with the History Server enabled. An attacker with write access to the Spark event logs directory can execute arbitrary code on the server hosting the History Server, potentially leading to full system compromise. This can result in unauthorized data access, data manipulation, service disruption, and lateral movement within the network. Since Spark is widely used for big data processing in enterprises, cloud providers, and research institutions, exploitation could compromise sensitive analytics workloads and underlying infrastructure. The vulnerability undermines the confidentiality, integrity, and availability of affected systems. Organizations relying on Spark for critical data pipelines or analytics may face operational downtime and data breaches if exploited. The requirement for write access to event logs limits the attack surface but does not eliminate risk, especially in multi-tenant or shared environments where log directories may be writable by less trusted users. The vulnerability also poses risks to cloud environments where Spark is deployed as a managed service or in containerized setups with shared storage.

To mitigate CVE-2025-54920, organizations should immediately upgrade Apache Spark to versions 3.5.7 or 4.0.1 and above, where the deserialization flaw is fixed. Additionally, restrict write permissions to the Spark event logs directory to trusted administrators only, preventing untrusted users from injecting malicious JSON payloads. Implement strict access controls and monitoring on directories used by the Spark History Server. Consider isolating the History Server on dedicated hosts or containers with minimal privileges and network access to reduce impact if compromised. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous process behavior indicative of exploitation attempts. Review and harden Spark configurations to disable unnecessary features or plugins that could increase attack surface. Regularly audit and validate event log contents for unauthorized modifications. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.