CVE-2023-47248

Name of the Vulnerable Software and Affected Versions PyArrow versions 0.14.0 through 14.0.0

Description The issue is related to the deserialization of untrusted data in IPC and Parquet readers, allowing arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather, or Parquet data from untrusted sources, such as user-supplied input files. This vulnerability only affects PyArrow and not other Apache Arrow implementations or bindings.

Recommendations For PyArrow versions 0.14.0 through 14.0.0, it is recommended to upgrade to version 14.0.1 or later. Downstream libraries should also upgrade their dependency requirements to PyArrow 14.0.1 or later. If an upgrade is not possible, a separate package pyarrow-hotfix is available to disable the vulnerability on older PyArrow versions.