CVE-2025-55039 is a cryptographic vulnerability affecting Apache Spark versions before 3.4.4, 3.5.2, and 4.0.0. The issue arises because when network encryption is enabled (spark.network.crypto.enabled=true) but the encryption cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding). AES in CTR mode provides confidentiality but lacks built-in authentication, meaning that while data is encrypted, it is vulnerable to bit-flipping attacks by a man-in-the-middle (MITM). An attacker positioned on the network path can alter encrypted RPC traffic undetected, compromising the integrity of messages exchanged between Spark nodes. This can affect heartbeat messages used to monitor node health and application data, potentially causing workflow disruptions or incorrect processing results. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) and CWE-326 (Inadequate Encryption Strength). The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, no privileges or user interaction required, and impact primarily on integrity and limited confidentiality. Mitigation requires explicitly setting spark.network.crypto.cipher to AES/GCM/NoPadding, which provides authenticated encryption, or enabling SSL encryption by setting spark.ssl.enabled to true, which offers stronger transport security and integrity protection. No public exploits have been reported to date, but the vulnerability poses a risk in environments where Spark nodes communicate over untrusted or compromised networks.

For European organizations, this vulnerability can undermine the integrity of distributed data processing workflows relying on Apache Spark, especially in sectors handling sensitive or critical data such as finance, telecommunications, healthcare, and scientific research. An attacker capable of intercepting network traffic between Spark nodes could manipulate heartbeat signals, potentially causing node disconnections or failovers, and alter application data, leading to incorrect analytics or decision-making. This could result in operational disruptions, data corruption, and loss of trust in data processing pipelines. Organizations using default configurations without explicit cipher settings are most at risk. Since Spark is widely used in big data environments, the impact could extend to cloud service providers and enterprises running large-scale analytics clusters. The vulnerability does not directly expose data confidentiality or availability but compromises data integrity, which is critical for compliance with European data protection regulations such as GDPR, where data accuracy and integrity are mandated. Additionally, disruption of critical infrastructure analytics could have broader economic or societal impacts.

European organizations should immediately audit their Apache Spark deployments to identify versions prior to 3.4.4, 3.5.2, and 4.0.0 and check the configuration of spark.network.crypto.enabled and spark.network.crypto.cipher. If network encryption is enabled, explicitly configure spark.network.crypto.cipher to AES/GCM/NoPadding to ensure authenticated encryption and prevent bit-flipping attacks. Alternatively, enable SSL encryption by setting spark.ssl.enabled to true to leverage stronger transport layer security. Organizations should also consider upgrading to the latest patched versions of Apache Spark where this issue is resolved by default. Network segmentation and use of VPNs or secure tunnels for Spark node communication can reduce exposure to MITM attacks. Monitoring network traffic for anomalies and implementing intrusion detection systems can help detect potential exploitation attempts. Finally, ensure that security policies enforce secure configurations and that DevOps teams are trained to avoid insecure defaults in distributed computing environments.