Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution · CVE-2025-30065 · GitHub Advisory Database · GitHub

Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution

Critical severity GitHub Reviewed Published Apr 1, 2025 to the GitHub Advisory Database • Updated May 7, 2025

Package

org.apache.parquet:parquet-avro (Maven)

Affected versions

< 1.15.1

Patched versions

1.15.1

Description

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code

Users are recommended to upgrade to version 1.15.1, which fixes the issue.

References

Published by the National Vulnerability Database

Apr 1, 2025

Published to the GitHub Advisory Database Apr 1, 2025

Reviewed Apr 1, 2025

Last updated May 7, 2025

Severity

Critical

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required None

User interaction None

Vulnerable System Impact Metrics

Confidentiality High

Integrity High

Availability High

Subsequent System Impact Metrics

Confidentiality High

Integrity High

Availability High

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A