Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks
Description
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0.
Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.
When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.
This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.
To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or
enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Spark RPC encryption defaults to unauthenticated AES-CTR mode, allowing man-in-the-middle attackers to modify encrypted traffic undetected.
Vulnerability
Overview
CVE-2025-55039 affects Apache Spark versions before 3.4.4, 3.5.2, and 4.0.0. When the optional RPC encryption feature is enabled (spark.network.crypto.enabled=true) but the cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding) [1][3]. This mode provides encryption without authentication, meaning the ciphertext can be modified by an attacker without detection.
Exploitation
A man-in-the-middle attacker positioned between Spark nodes can flip bits in the encrypted RPC traffic. Because CTR mode lacks integrity checks, the attacker can alter heartbeat messages or application data without the communicating parties noticing [1][3]. The attack requires the attacker to have network access to intercept and modify traffic, but does not require authentication credentials.
Impact
Successful exploitation compromises the integrity of Spark workflows. An attacker could manipulate data being exchanged between nodes, potentially leading to incorrect computation results, altered job behavior, or disruption of cluster operations [1]. The confidentiality of the traffic remains protected, but integrity is lost integrity can have serious consequences for data processing pipelines.
Mitigation
Users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption, or enable SSL encryption by setting spark.ssl.enabled to true for stronger transport security [1][3]. Patched versions (3.4.4, 3.5.2, 4, 4.0.0) are available from the recommended fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.spark:spark-network-common_2.13Maven | >= 3.5.0, < 3.5.2 | 3.5.2 |
org.apache.spark:spark-network-common_2.13Maven | < 3.4.4 | 3.4.4 |
org.apache.spark:spark-network-common_2.12Maven | < 3.4.4 | 3.4.4 |
org.apache.spark:spark-network-common_2.12Maven | >= 3.5.0, < 3.5.2 | 3.5.2 |
Affected products
2- Apache Software Foundation/Apache Sparkv5Range: 3.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6p6v-m64v-jx8qghsaADVISORY
- lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qqghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-55039ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/10/14/11ghsaWEB
News mentions
0No linked articles in our index yet.