CVE-2025-55039: 
Java vulnerability analysis and mitigation

Apache Spark versions before 4.0.0, 3.5.2, and 3.4.4 contain a security vulnerability in their RPC communication encryption. When spark.network.crypto.enabled is set to true (default is false) and spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication (Apache NVD). The vulnerability was disclosed on October 15, 2025.

The vulnerability stems from using an insecure default network encryption cipher for RPC communication between nodes. The implementation uses AES in CTR mode without authentication, which is cryptographically insufficient for secure communications. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (Apache NVD).

This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows (Apache NVD).

To mitigate this vulnerability, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security (Apache NVD).