Karl.Fail

CVE-2025-30065: Critical Code Execution Vulnerability in Apache Parquet Java (parquet-avro Module)

Written by

Karl

in

on

(Last update:

)

Overview

On April 1, 2025, a critical vulnerability was published under the identifier CVE-2025-30065. The flaw affects Apache Parquet Java, specifically the parquet-avro module in versions ≤ 1.15.0. This vulnerability allows attackers to execute arbitrary code when a specially crafted Avro schema is parsed from Parquet file metadata.

Technical Details

This issue arises due to unsafe schema parsing that leads to deserialization of untrusted data (CWE-502). When an application using the vulnerable library reads a malicious Parquet file, it may deserialize attacker-controlled input, resulting in full remote code execution. This can occur without any user interaction or special permissions.

The issue has been assigned the highest CVSS v4.0 base score of 10 (Critical), reflecting the severity and exploitability of the flaw. According to the CVSS vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Confidentiality, Integrity, Availability Impact: High

Impacted Component

The vulnerability affects the org.apache.parquet:parquet-avro package from the Apache Parquet Java library. All versions up to and including 1.15.0 are vulnerable.

Real-World Impact

This vulnerability is particularly dangerous in environments where applications process Parquet files from untrusted sources, such as data ingestion systems, cloud data pipelines, or external integrations. Exploitation can lead to complete system compromise, as confirmed by publicly available proof-of-concept exploits.

Mitigation

  • Upgrade to Apache Parquet Java version 1.15.1 or later, which includes a fix for this issue.
  • Do not process untrusted Parquet files until patches are applied.
  • Consider isolating file parsing into sandboxed or low-privilege environments to reduce risk.

Discovery and Acknowledgment

This vulnerability was discovered by Keyi Li from Amazon. The Apache Software Foundation has released an advisory and patch for the issue. Additional exploit demonstrations have been shared by the security community on GitHub.

References

All users of the Apache Parquet Java library are urged to update immediately.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


More posts