ai.catboost:catboost-spark_3.2_2.13 (>=1.0.6 <=1.2.10), ai.catboost:catboost-spark_3.3_2.13 (>=1.1.1 <=1.2.10) +445 more potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.13 (>=3.2.0 <=3.5.6)

org.apache.spark:spark-core2.13 MAVEN version =3.2.0, =1.0.6, =1.1.1, =1.2, =1.2.3, =0.0.25, =0.0.25, =0.0.25, =0.0.86, =0.0.14, =6.5.0, =1.3.3, =0.20, =0.2, =2.0.3, =1.1.3, =1.1.4 and more Source cves: CVE-2025-54920 Source advisory: OSV:GHSA-JWP6-CVJ8-FW65...

ai.catboost:catboost-spark_2.12 (>=0.25-rc1 <=0.25-rc3), ai.catboost:catboost-spark_2.4_2.12 (>=0.25 <=1.2.7) +1743 more potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.12 (>=2.4.0 <=3.5.6)

org.apache.spark:spark-core2.12 MAVEN version =2.4.0, =0.25-rc1, =0.25, =0.25, =1.0.1, =1.0.6, =1.1, =1.2, =1.2.3, =0.0.25, =0.0.25, =0.0.62, =0.0.25, =0.0.86, =0.0.8, =0.0.6, =0.0.9 and more Source cves: CVE-2025-54920 Source advisory: OSV:GHSA-JWP6-CVJ8-FW65...

ai.grakn:client-java (=1.3.0), ai.grakn:grakn-bootup (>=1.1.0 <=v1.1.0-226-g847ecff2d8e26f249422247d7665fe15f07b1744) +677 more potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.10 (>=0.9.0-incubating <=2.2.3)

org.apache.spark:spark-core2.10 MAVEN version =0.9.0-incubating, =1.1.0, =0.12.0, =1.2.0, =0.12.0, =1.0.0, =1.0.0, =1.2.0, =0.17.0, =0.10.0, =0.15.0, =0.6.1, =0.17.0, =1.1.0 and more Source cves: CVE-2025-54920 Source advisory: OSV:GHSA-JWP6-CVJ8-FW65https://vulners.com/osv...

com.azure.cosmos.spark:azure-cosmos-spark_4-0_2-13 (>=4.43.0 <=4.48.0), com.github.rumbledb:rumbledb (=2.0.0) +79 more potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.13 (=4.0.0)

org.apache.spark:spark-core2.13 MAVEN version =4.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.spark:spark-core2.13 and may be impacted: - com.azure.cosmos.spark:azure-cosmos-spark4-02-13 =4.43.0, =0.43.0-preview, =0.43.0-preview,...

org.apache.spark:spark-tools_2.9.3 (=0.8.1-incubating) potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.9.3 (=0.8.1-incubating)

org.apache.spark:spark-core2.9.3 MAVEN version =0.8.1-incubating is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.spark:spark-core2.9.3 and may be impacted: - org.apache.spark:spark-tools2.9.3 =0.8.1-incubating Source cves: CVE-2025-54920...

ae.teletronics.nlp:entityextraction (=1.3), ae.teletronics.nlp:w2vec (=1.0) +1722 more potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.11 (>=1.2.0 <=2.4.8)

org.apache.spark:spark-core2.11 MAVEN version =1.2.0, =0.25-rc1, =0.25, =0.25, =0.0.25, =0.0.25, =0.0.25, =0.0.86, =local, =0.0.1, =0.42.1, =1.4.1, =1.4.3 - ai.grakn:grakn-dist =1.4.1 and more Source cves: CVE-2025-54920 Source advisory: OSV:GHSA-JWP6-CVJ8-FW65...

ai.catboost:catboost-spark_3.2_2.13 (>=1.0.6 <=1.2.10), ai.catboost:catboost-spark_3.3_2.13 (>=1.1.1 <=1.2.10) +445 more potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.13 (>=3.2.0 <=3.5.6)

org.apache.spark:spark-core2.13 MAVEN version =3.2.0, =1.0.6, =1.1.1, =1.2, =1.2.3, =0.0.25, =0.0.25, =0.0.25, =0.0.86, =0.0.14, =6.5.0, =1.3.3, =0.20, =0.2, =2.0.3, =1.1.3, =1.1.4 and more Source cves: CVE-2025-54920 Source advisory: SNYK:JAVA-ORGAPACHESPARK-15623152...

Deserialization of Untrusted Data

Overview org.apache.spark:spark-core2.12 is an unified analytics engine for large-scale data processing. It provides high-level APIs in Scala, Java, Python, and R, and an optimized engine that supports general computation graphs for data analysis. It also supports a rich set of higher-level tools...

ai.catboost:catboost-spark_3.0_2.12 (>=0.25 <=1.2.8), ai.catboost:catboost-spark_3.1_2.12 (>=1.0.1 <=1.2.8) +1478 more potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.12 (>=3.0.0-preview <=3.5.6)

org.apache.spark:spark-core2.12 MAVEN version =3.0.0-preview, =0.25, =1.0.1, =1.0.6, =1.1, =1.2, =1.2.3, =0.0.25, =0.0.25, =0.0.62, =0.0.25, =0.0.86, =0.0.8, =0.0.6, =0.20.0, =0.22.0, =0.36.0 and more Source cves: CVE-2025-54920 Source advisory: SNYK:JAVA-ORGAPACHESPARK-15623151...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the Jackson implementation in the Spark History Server web UI. An attacker who can write event logs can achieve code execution by injecting malicious JSON payloads into event log files, which are the...

com.azure.cosmos.spark:azure-cosmos-spark_4-0_2-13 (>=4.43.0 <=4.48.0), com.github.rumbledb:rumbledb (=2.0.0) +83 more potentially affected by CVE-2025-54920 via org.apache.spark:spark-core_2.13 (>=4.0.0-preview2 <=4.0.0)

org.apache.spark:spark-core2.13 MAVEN version =4.0.0-preview2, =4.43.0, =0.43.0-preview, =0.43.0-preview, =4.0.0-preview22.0.1, =0.0.3, =0.0.3, =7.0.1, =0.0.1-poc, =0.0.1-poc, =0.0.1-poc, =0.0.1-poc, =0.0.1-poc7 and more Source cves: CVE-2025-54920 Source advisory: SNYK:JAVA-ORGAPACHESPARK-156231...

Improper Privilege Management

spark-core is vulnerable to Improper Privilege Management . The vulnerability exists because the library does not properly disallow arbitrary custom classpaths with the proxy user in cluster mode, which allows an attacker to provide malicious configuration-related classes in the classpath...

ai.catboost:catboost-spark_2.12 (>=0.25-rc1 <=0.25-rc3), ai.catboost:catboost-spark_2.4_2.12 (>=0.25 <=1.2.7) +1391 more potentially affected by CVE-2023-22946 via org.apache.spark:spark-core_2.12 (>=2.4.0 <=3.3.2)

org.apache.spark:spark-core2.12 MAVEN version =2.4.0, =0.25-rc1, =0.25, =0.25, =1.0.1, =1.0.6, =1.1, =0.0.25, =0.0.25, =0.0.62, =0.0.25, =0.0.86, =0.0.8, =0.0.6, =0.20.0, =0.22.0, =0.28.0 and more Source cves: CVE-2023-22946 Source advisory: OSV:GHSA-329J-JFVR-RHR6...

ai.catboost:catboost-spark_3.2_2.13 (>=1.0.6 <=1.2.10), ai.catboost:catboost-spark_3.3_2.13 (>=1.1.1 <=1.2.10) +221 more potentially affected by CVE-2023-22946 via org.apache.spark:spark-core_2.13 (>=3.2.0 <=3.3.2)

org.apache.spark:spark-core2.13 MAVEN version =3.2.0, =1.0.6, =1.1.1, =0.0.25, =0.0.25, =0.0.25, =0.0.86, =0.0.14, =0.20, =1.1.3, =1.4.0, =1.4.0, =0.0.3, =0.0.4 and more Source cves: CVE-2023-22946 Source advisory: OSV:GHSA-329J-JFVR-RHR6...

ai.grakn:client-java (=1.3.0), ai.grakn:grakn-bootup (>=1.1.0 <=v1.1.0-226-g847ecff2d8e26f249422247d7665fe15f07b1744) +568 more potentially affected by CVE-2022-31777 via org.apache.spark:spark-core_2.10 (>=1.0.0 <=1.6.3)

org.apache.spark:spark-core2.10 MAVEN version =1.0.0, =1.1.0, =0.12.0, =1.2.0, =0.12.0, =1.0.0, =1.0.0, =1.2.0, =0.17.0, =0.10.0, =0.15.0, =0.6.1, =0.17.0, =1.1.0 and more Source cves: CVE-2022-31777 Source advisory: OSV:GHSA-43XG-8WMJ-CW8Hhttps://vulners.com/osv/OSV:GHSA-4...

com.datastax.spark:spark-cassandra-connector-demos_2.10 (>=1.0.0 <=1.0.6), com.datastax.spark:spark-cassandra-connector-java_2.10 (>=1.0.0 <=1.0.6) +23 more potentially affected by CVE-2022-31777 via org.apache.spark:spark-core_2.10 (>=0.9.0-incubating <=0.9.2)

org.apache.spark:spark-core2.10 MAVEN version =0.9.0-incubating, =1.0.0, =1.0.0, =1.0.0, =0.2.2, =0.2.2, =0.2.2, =0.9.0-C2-EA, =0.5.0, =0.9.0, =0.8.3, =0.9.0-incubating, =0.9.0-incubating, =0.9.2 and more Source cves: CVE-2022-31777 Source advisory: OSV:GHSA-43XG-8WMJ-CW8H...

ch.zzeekk.spark:spark-temporalquery_2.10 (=1.0.0), com.antgroup.tugraph:calcite-spark (>=1.18.0-geaflow_1.0 <=1.18.0-geaflow_1.1) +159 more potentially affected by CVE-2022-31777 via org.apache.spark:spark-core_2.10 (>=2.0.0-preview <=2.2.3)

org.apache.spark:spark-core2.10 MAVEN version =2.0.0-preview, =1.18.0-geaflow1.0, =0.1.0, =2.0.0, =0.8.2, =1.1.0, =2.0.0, =2.0.0, =2.0.0, =2.0.13 and more Source cves: CVE-2022-31777 Source advisory: OSV:GHSA-43XG-8WMJ-CW8H...

ae.teletronics.nlp:entityextraction (=1.3), au.gov.amsa.risky:spark (>=0.5.2 <=0.5.9) +269 more potentially affected by CVE-2022-31777 via org.apache.spark:spark-core_2.11 (>=1.2.0 <=1.6.3)

org.apache.spark:spark-core2.11 MAVEN version =1.2.0, =0.5.2, =1.0.0, =0.10.0, =0.10.0, =0.10.0, =0.10.0, =0.10.0, =1.6.0, =1.0, =1.0.1, =1.0.0, =0.8.0, =0.8.2 and more Source cves: CVE-2022-31777 Source advisory: OSV:GHSA-43XG-8WMJ-CW8H...

ai.catboost:catboost-spark_3.2_2.13 (>=1.0.6 <=1.2.10), ai.chronon:aggregator_2.13 (>=0.0.25 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +104 more potentially affected by CVE-2022-31777 via org.apache.spark:spark-core_2.13 (>=3.2.0 <=3.2.1)

org.apache.spark:spark-core2.13 MAVEN version =3.2.0, =1.0.6, =0.0.25, =0.0.25, =0.0.25, =0.0.86, =0.0.14, =1.1.3, =1.4.0, =1.4.0, =0.2.3, =3.2.00.16.0, =0.14.0, =0.3.8-spark-3.1.2, =0.3.8-spark-3.2.0, =1.2.0-spark-3.2.0 - com.github.benfradet:spark-kafka-writer2.13 =0.6.0 and more Source cves:...

ai.catboost:catboost-spark_2.12 (>=0.25-rc1 <=0.25-rc3), ai.catboost:catboost-spark_2.4_2.12 (>=0.25 <=1.2.7) +1152 more potentially affected by CVE-2022-31777 via org.apache.spark:spark-core_2.12 (>=2.4.0 <=3.2.1)

org.apache.spark:spark-core2.12 MAVEN version =2.4.0, =0.25-rc1, =0.25, =0.25, =1.0.1, =1.0.6, =0.0.25, =0.0.25, =0.0.62, =0.0.25, =0.0.86, =0.0.8, =0.0.6, =0.0.1, =3.34.0.3-1-3.0, =3.46.0.6-1-3.1 - ai.hunters:spark-adaptive-file-connector2.12 =1.0.0 and more Source cves: CVE-2022-31777 Source...