Hello, I see you have sent this email both to [email protected] and to [email protected] . This email is off-topic for [email protected] : this is a public list for discussing security topics in general, not for specific security issues.
It is off-topic for [email protected] as well: when an advisory is published for a dependency, more often than not, the project does not use the dependency in a way that is affected by the problem described in the advisory. For this reason we don't accept the simple fact that an advisory exists for a dependency as a security issue in itself. If you have done any analysis to confirm the issue described in the advisory does impact this project, please share that information with us privately. Likewise, if you have verified the issue does not impact Spark, it would be appreciated to contribute that information to the project. In any case, you can work with us to get this dependency updated through the regular open contribution channels: you might want to review https://spark.apache.org/contributing.html . Kind regards, Arnout Engelen ASF Security. On Wed, Oct 29, 2025 at 12:08 PM G, Shrivathsan < [email protected]> wrote: > Hi Apache Spark Security Team, > > We would like to bring to your immediate attention several *critical and > high-severity security vulnerabilities* identified during recent > assessments of PySpark environments. These issues pose substantial risks to > data integrity, system availability, and the overall security posture of > deployments. For your reference, we have attached the relevant CVE details. > Following the release of *Apache Spark 4.0.1 on September 6, 2025*, we > have observed that a number of these vulnerabilities remain unaddressed. In > light of this, we would like to inquire: > > - When can the community expect the *next stable release* that > comprehensively addresses the outstanding critical and high-severity > vulnerabilities? > - Are there any interim mitigation steps or patches recommended for > users currently on version 4.0.1? > > > *severity* > *vulnerability_name* > *name* > CRITICAL > CVE-2024-47561 > org.apache.avro:avro > CRITICAL > CVE-2023-44981 > cpe:2.3:a:apache:zookeeper > CRITICAL > CVE-2023-44981 > org.apache.zookeeper:zookeeper > CRITICAL > CVE-2023-44981 > org.apache.zookeeper:zookeeper > CRITICAL > CVE-2022-46337 > org.apache.derby:derby > CRITICAL > CVE-2019-10202 > org.codehaus.jackson:jackson-mapper-asl > HIGH > GHSA-xpw8-rcwv-8f8p > io.netty:netty-codec-http2 > HIGH > GHSA-xpw8-rcwv-8f8p > io.netty:netty-codec-http2 > HIGH > CVE-2025-55163 > io.netty:netty-codec-http2 > HIGH > CVE-2025-55163 > io.netty:netty-codec-http2 > HIGH > CVE-2025-52999 > com.fasterxml.jackson.core:jackson-core > HIGH > CVE-2025-52999 > com.fasterxml.jackson.core:jackson-core > HIGH > CVE-2025-48734 > commons-beanutils:commons-beanutils > HIGH > CVE-2025-24970 > io.netty:netty-handler > HIGH > CVE-2025-24970 > io.netty:netty-handler > HIGH > CVE-2024-7254 > com.google.protobuf:protobuf-java > HIGH > CVE-2024-7254 > com.google.protobuf:protobuf-java > HIGH > CVE-2024-47554 > commons-io:commons-io > HIGH > CVE-2024-25638 > dnsjava:dnsjava > HIGH > CVE-2024-13009 > org.eclipse.jetty:jetty-server > HIGH > CVE-2023-52428 > com.nimbusds:nimbus-jose-jwt > HIGH > CVE-2023-39410 > org.apache.avro:avro > HIGH > CVE-2023-1370 > net.minidev:json-smart > HIGH > CVE-2022-46751 > org.apache.ivy:ivy > HIGH > CVE-2022-42004 > com.fasterxml.jackson.core:jackson-databind > HIGH > CVE-2022-42003 > com.fasterxml.jackson.core:jackson-databind > HIGH > CVE-2022-3510 > com.google.protobuf:protobuf-java > HIGH > CVE-2022-3510 > com.google.protobuf:protobuf-java > HIGH > CVE-2022-3509 > com.google.protobuf:protobuf-java > HIGH > CVE-2022-3509 > com.google.protobuf:protobuf-java > HIGH > CVE-2022-25647 > com.google.code.gson:gson > HIGH > CVE-2021-31684 > net.minidev:json-smart > HIGH > CVE-2021-22569 > com.google.protobuf:protobuf-java > HIGH > CVE-2021-22569 > com.google.protobuf:protobuf-java > HIGH > CVE-2020-13949 > org.apache.thrift:libthrift > HIGH > CVE-2019-10172 > org.codehaus.jackson:jackson-mapper-asl > HIGH > CVE-2019-0205 > org.apache.thrift:libthrift > HIGH > CVE-2018-1330 > org.apache.mesos:mesos > > We appreciate your continued efforts in maintaining the security and > reliability of the Spark ecosystem and look forward to your guidance on the > above. > > Regards, > Shrivathsan G > >
