You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jan 7, 2026. It is now read-only.
Copy file name to clipboardExpand all lines: spark-4.1.advisories.yaml
+46Lines changed: 46 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,16 @@ package:
4
4
name: spark-4.1
5
5
6
6
advisories:
7
+
- id: CGA-29w8-vjxh-6r3h
8
+
aliases:
9
+
- CVE-2025-53864
10
+
- GHSA-xwmg-2g98-w7v9
11
+
events:
12
+
- timestamp: 2026-01-07T01:11:52Z
13
+
type: pending-upstream-fix
14
+
data:
15
+
note: Upstream maintainers will need to update the nimbus-jose-jwt versions to newer ones, as there are several different version references that utilize shaded JARs. Attempts to rebuild with newer versions resulted in conflicts and build issues
note: 'As per the advisory commons-lang has no patched version and as per the description, upstream package maintainers of commons-lang recommend to upgrade to commons-lang3 version 3.18.0 or greater. Upstream has to upgrade their dependency in order to fix this CVE. More information on the advisory: https://github.com/advisories/GHSA-j288-q9x7-2f5v'
60
+
61
+
- id: CGA-q54v-3v4v-8967
62
+
aliases:
63
+
- CVE-2025-49128
64
+
- GHSA-wf8f-6423-gfxg
65
+
events:
66
+
- timestamp: 2026-01-07T01:11:16Z
67
+
type: pending-upstream-fix
68
+
data:
69
+
note: 'Upstream maintainers must cut a Hadoop release with Avro 1.11.4+ to resolve this CVE. The vulnerability is in jackson-core 2.12.7 bundled within hadoop-client-runtime-3.4.1.jar. Spark PR #40933 (SPARK-43263) attempted to upgrade Jackson to 2.15.0 but encountered dependency conflicts with Avro 1.11.1 which still pulls Jackson 2.12.7. The PR discussion confirmed that Avro must be upgraded first, which requires a new Hadoop release. CVE-2025-49128 is fixed in Jackson 2.13.0+. Reference: https://github.com/apache/spark/pull/40933#issuecomment-1536432927'
Upstream maintainers must upgrade Hive from 2.3.10 to 4.0.1+ to resolve this CVE. JIRA ticket SPARK-52408 tracks this upgrade request. The vulnerability CVE-2024-29869 affects hive-exec 2.3.10 which is bundled in hive-exec-2.3.10-core.jar. This is a significant upgrade as Hive 4.x has major API changes compared to 2.x series.
Upstream maintainers must complete the migration from Jetty 11 to Jetty 12 to resolve this CVE. PR #45500 (SPARK-47086) was opened on 2024-03-13 but was closed without merging. The migration is complex as it requires updating all Jetty multiple dependency and API changes. Spark currently uses jetty-http 11.0.26 in spark-core_2.13-4.1.0.jar. CVE-2024-6763 is fixed in Jetty 12.0.12.
note: 'Upstream maintainers must cut a Hadoop release with Avro 1.11.4+ to resolve this CVE. The vulnerability is in jackson-core 2.12.7 bundled within hadoop-client-runtime-3.4.1.jar. Spark PR #40933 (SPARK-43263) attempted to upgrade Jackson to 2.15.0 but encountered dependency conflicts with Avro 1.11.1 which still pulls Jackson 2.12.7. The PR discussion confirmed that Avro must be upgraded first, which requires a new Hadoop release. CVE-2025-52999 is fixed in Jackson 2.15.0+. Reference: https://github.com/apache/spark/pull/40933#issuecomment-1536432927'
0 commit comments