Skip to content

spark-4.0: add pending-upstream-fix advisory for GHSA-h46c-h94j-95f3 #20804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 3, 2025
Merged

spark-4.0: add pending-upstream-fix advisory for GHSA-h46c-h94j-95f3 #20804

merged 1 commit into from
Jul 3, 2025

Conversation

@jamie-albert
Copy link
Member

@jamie-albert jamie-albert commented Jul 2, 2025

Summary

Adds pending-upstream-fix advisory for CVE-2025-52999 (GHSA-h46c-h94j-95f3) affecting jackson-core in spark-4.0.

Changes

  • Updated spark-4.0.advisories.yaml

CVE Details

  • CVE-2025-52999 / GHSA-h46c-h94j-95f3: jackson-core can throw a StackoverflowError when processing deeply nested data
  • Affected Component: jackson-core 2.12.7 in hadoop-client-runtime-3.4.1.jar
  • Fix Version: Jackson 2.15.0+

Root Cause

The vulnerability is in jackson-core 2.12.7 bundled within hadoop-client-runtime-3.4.1.jar. Upstream maintainers must cut a Hadoop release with Avro 1.11.4+ to resolve this CVE.

Spark PR #40933 (SPARK-43263) attempted to upgrade Jackson to 2.15.0 but encountered dependency conflicts with Avro 1.11.1 which still pulls Jackson 2.12.7. The PR discussion confirmed that Avro must be upgraded first, which requires a new Hadoop release.

Advisory Type

Marked as pending-upstream-fix because this requires upstream Hadoop changes that are beyond our control.

Reference: apache/spark#40933 (comment)

@jamie-albert
spark-4.0: add pending-upstream-fix advisory for GHSA-h46c-h94j-95f3
7b185df 
Add pending-upstream-fix advisory for CVE-2025-52999 (GHSA-h46c-h94j-95f3) in
jackson-core 2.12.7 bundled within hadoop-client-runtime-3.4.1.jar.

Upstream maintainers must cut a Hadoop release with Avro 1.11.4+ to resolve
this CVE. Spark PR #40933 (SPARK-43263) attempted to upgrade Jackson to 2.15.0
but encountered dependency conflicts with Avro 1.11.1 which still pulls
Jackson 2.12.7. The PR discussion confirmed that Avro must be upgraded first,
which requires a new Hadoop release.
@jamie-albert jamie-albert requested a review from a team July 2, 2025 18:35
@jamie-albert jamie-albert mentioned this pull request Jul 2, 2025
Closed
@efbar efbar added this pull request to the merge queue Jul 3, 2025
Merged via the queue into wolfi-dev:main with commit 95a80d0 Jul 3, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efbar efbar efbar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamie-albert @efbar