CVE-2025-30065

Name of the Vulnerable Software and Affected Versions Apache Parquet versions 1.15.0 and previous versions

Description A critical vulnerability in the Apache Parquet Java library allows attackers to execute arbitrary code on systems reading Parquet files. The vulnerability is caused by a deserialization flaw in the parquet-avro module, which can be exploited by sending malicious data files. This flaw affects any application that processes Parquet files, especially when sourced from external or untrusted origins. The issue allows attackers to execute remote code, potentially leading to the execution of malware, theft of data, or operational disruptions.

Recommendations To resolve the issue, upgrade to Apache Parquet version 1.15.1 or later, which fixes the vulnerability. Additionally, implement stringent monitoring to detect any unusual activities and avoid processing Parquet files from dubious sources. Configure org.apache.parquet.avro.SERIALIZABLE PACKAGES to limit the packages allowed for deserialization. As a temporary workaround, consider restricting access to the parquet-avro module until a patch is available.