CVE-2025-54920 is a critical deserialization vulnerability found in Apache Spark versions prior to 3.5.7 and 4.0.1, specifically impacting the Spark History Server component. The root cause is the use of Jackson's polymorphic deserialization feature with @JsonTypeInfo.Id.CLASS on SparkListenerEvent objects, which allows untrusted JSON input to specify arbitrary Java class names for deserialization. This behavior enables an attacker who can write to the Spark event logs directory to craft malicious JSON payloads that instantiate unintended classes during deserialization. For example, an attacker can inject a JSON payload that causes the History Server to instantiate org.apache.hive.jdbc.HiveConnection, which triggers a JDBC connection to an attacker-controlled server. This results in remote code execution on the host running the History Server. The vulnerability is exploitable when the History Server loads or restarts and processes the manipulated event logs. The attack requires write access to the event logs directory but does not require authentication or user interaction. The vulnerability stems from insecure handling of polymorphic deserialization, a known risky practice when deserializing untrusted data. Apache Spark versions 3.5.7 and 4.0.1 include patches that restrict or sanitize deserialization inputs to prevent this attack vector. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be considered high risk due to its potential impact and ease of exploitation given write access.

The impact of CVE-2025-54920 is severe for organizations using Apache Spark with event logging enabled and accessible log directories. An attacker with write permissions to the Spark event logs can execute arbitrary code on the server hosting the Spark History Server, potentially leading to full system compromise. This could result in unauthorized data access, data manipulation, lateral movement within the network, and disruption of analytics workflows. Since the History Server often runs with elevated privileges or access to sensitive data, the compromise could extend to critical infrastructure components. The vulnerability undermines the integrity and availability of Spark analytics environments and can be leveraged as a foothold for further attacks. Organizations relying on Spark for big data processing, especially in multi-tenant or cloud environments where log directories might be shared or insufficiently protected, face significant risk. The absence of authentication requirements for exploitation increases the threat level if attackers gain write access to logs through other means such as misconfigurations or insider threats.

To mitigate CVE-2025-54920, organizations should immediately upgrade Apache Spark to versions 3.5.7 or 4.0.1 and above, where the deserialization flaw is fixed. Beyond upgrading, it is critical to enforce strict access controls on the Spark event logs directory to prevent unauthorized write access. Implement file system permissions and network segmentation to isolate the History Server and its logs from untrusted users or processes. Consider disabling or restricting event logging if not required, or redirect logs to secure, immutable storage. Employ runtime application self-protection (RASP) or monitoring tools to detect anomalous deserialization behavior or unexpected outbound JDBC connections from the History Server. Review and harden Jackson deserialization configurations to avoid polymorphic deserialization of untrusted data. Conduct regular audits of Spark deployment configurations and logs to detect suspicious modifications. Finally, incorporate this vulnerability into incident response plans and threat hunting activities to quickly identify exploitation attempts.