Nándor Kollár

**Name of the Vulnerable Software and Affected Versions** Apache Parquet versions prior to 1.15.2 **Description** The vulnerability in Apache Parquet Java allows remote code execution via insecure parquet-avro module schema parsing. The issue affects versions up to 1.15.1. The parquet-avro module is responsible for processing Avro schemas within the metadata of Parquet files. Despite an earlier update in version 1.15.1 intended to restrict untrusted packages, the default settings remain permissive enough that harmful classes can still be executed. This is particularly worrisome for data processing pipelines that may draw files from untrusted sources, putting any application utilizing this module at risk of remote code execution. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. **Recommendations** Apache Parquet version 1.15.1: Set the system property "org.apache.parquet.avro.SERIALIZABLE PACKAGES" to an empty string. Apache Parquet versions prior to 1.15.1: Upgrade to version 1.15.2. Apache Parquet versions prior to 1.15.2 (general recommendation): Upgrade to version 1.15.2 to ensure safety.