Headline
GHSA-prv5-c2px-j9q3: Apache StreamPark has a hard-coded encryption key
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-54947
Apache StreamPark has a hard-coded encryption key
High severity GitHub Reviewed Published Dec 12, 2025 to the GitHub Advisory Database • Updated Dec 12, 2025
Package
maven org.apache.streampark:streampark (Maven)
Affected versions
>= 2.0.0, < 2.1.7
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-54947
- https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1
- apache/streampark@39034db
Published to the GitHub Advisory Database
Dec 12, 2025
Last updated
Dec 12, 2025