CVE-2025-54947 – Apache StreamPark versions 2.0.0 through 2.1.6 ... (How to Fix)

Q: What is the severity of CVE-2025-54947?

CVE-2025-54947 has a CVSS score of 9.8 (CRITICAL). Apache StreamPark versions 2.0.0 through 2.1.6 use a hard-coded encryption key, allowing attackers to decrypt sensitive data or forge encrypted information through reverse engineering. This affects all users running vulnerable versions, potentially leading to information disclosure or unauthorized system access.

📋 TL;DR

Apache StreamPark versions 2.0.0 through 2.1.6 use a hard-coded encryption key, allowing attackers to decrypt sensitive data or forge encrypted information through reverse engineering. This affects all users running vulnerable versions, potentially leading to information disclosure or unauthorized system access.

💻 Affected Systems

Products:

Apache StreamPark

Versions: 2.0.0 through 2.1.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using default encryption are vulnerable.

📦 What is this software?

Streampark by Apache

View all CVEs affecting Streampark →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of encrypted data, unauthorized system access, and potential lateral movement within the environment.

🟠

Likely Case

Information disclosure of sensitive configuration data and potential authentication bypass.

🟢

If Mitigated

Limited impact if encryption is not used for critical data or if additional security layers exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires reverse engineering or code analysis to extract the hard-coded key.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.7

Vendor Advisory: https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1

Restart Required: Yes

Instructions:

1. Download Apache StreamPark 2.1.7 from official sources. 2. Stop the current StreamPark service. 3. Backup configuration and data. 4. Install version 2.1.7. 5. Restart the service.

🔧 Temporary Workarounds

Disable encryption features

all

Temporarily disable any features that rely on the vulnerable encryption mechanism.

Modify configuration to disable encryption-based features

🧯 If You Can't Patch

Isolate vulnerable systems from untrusted networks
Implement additional encryption layers for sensitive data

🔍 How to Verify

Check if Vulnerable:

Check the StreamPark version in configuration files or via the web interface.

Check Version:

Check the version in the web interface or configuration files (e.g., streampark.version property).

Verify Fix Applied:

Verify the version is 2.1.7 or higher and check that encryption keys are no longer hard-coded in configuration.

📡 Detection & Monitoring

Log Indicators:

Unusual decryption attempts
Failed encryption operations

Network Indicators:

Suspicious traffic to encryption endpoints

SIEM Query:

Search for logs indicating encryption failures or version checks showing vulnerable versions.

📊 Metadata

CVE ID: CVE-2025-54947

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-321

EPSS Score: 0.04% exploit probability (11.8th percentile)

Published: December 12, 2025

Last Updated: December 15, 2025

🔗 References

https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1 Mailing List
http://www.openwall.com/lists/oss-security/2025/12/12/3 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54947, you might also want to check these: