Vulnerable Library - delta_spark-3.1.0-py3-none-any.whl
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (delta_spark version) |
Remediation Possible** |
| CVE-2025-55039 |
 Medium |
6.5 |
pyspark-3.5.1.tar.gz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-55039
Vulnerable Library - pyspark-3.5.1.tar.gz
Apache Spark Python API
Library home page: https://files.pythonhosted.org/packages/73/e5/c9eb78cc982dafb7b5834bc5c368fe596216c8b9f7c4b4ffa104c4d2ab8f/pyspark-3.5.1.tar.gz
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Dependency Hierarchy:
- delta_spark-3.1.0-py3-none-any.whl (Root Library)
- ❌ pyspark-3.5.1.tar.gz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0.
Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.
When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.
This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.
To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or
enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.
Publish Date: 2025-10-15
URL: CVE-2025-55039
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq
Release Date: 2025-10-15
Fix Resolution: org.apache.spark:spark-network-common_2.12:3.4.4,org.apache.spark:spark-network-common_2.13:3.5.2,org.apache.spark:spark-network-common_2.12:3.5.2,org.apache.spark:spark-network-common_2.13:3.4.4
Step up your Open Source Security Game with Mend here
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - pyspark-3.5.1.tar.gz
Apache Spark Python API
Library home page: https://files.pythonhosted.org/packages/73/e5/c9eb78cc982dafb7b5834bc5c368fe596216c8b9f7c4b4ffa104c4d2ab8f/pyspark-3.5.1.tar.gz
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0.
Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.
When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.
This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.
To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or
enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.
Publish Date: 2025-10-15
URL: CVE-2025-55039
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/zrgyy9l85nm2c7vk36vr7bkyorg3w4qq
Release Date: 2025-10-15
Fix Resolution: org.apache.spark:spark-network-common_2.12:3.4.4,org.apache.spark:spark-network-common_2.13:3.5.2,org.apache.spark:spark-network-common_2.12:3.5.2,org.apache.spark:spark-network-common_2.13:3.4.4
Step up your Open Source Security Game with Mend here