Apache StreamPark hard-coded encryption key exposes sensitive data to decryption attacks
Take action: If you're running Apache StreamPark, ensure these systems are isolated from the internet and accessible only from trusted networks, then plan an upgrade to version 2.1.7.
Learn More
Apache StreamPark is reporting a critical vulnerability that could allow attackers to compromise sensitive data through exploitation of a hard-coded encryption key.
The flaw is tracked as CVE-2025-54947 (CVSS score 9.8), and is caused by a design flaw: Apache StreamPark uses a fixed, immutable encryption key for data protection instead of dynamic key generation or secure configuration mechanisms. Attackers can reverse engineer or read the code of the application to get the key. Once obtained, this encryption key provides threat actors with the ability to decrypt any data protected by the system/ The vulnerability also allows attackers to forge encrypted information, potentially manipulating data streams or injecting malicious content into the system without detection.
Apache StreamPark versions 2.0.0 through 2.1.6 are affected by this vulnerability.
Apache has released version 2.1.7, implementing proper encryption key management practices. The Apache StreamPark project strongly recommends that all users running affected versions immediately upgrade to the patched release.
