PT-2026-7986 · Apache · Apache Avro Java Sdk
Brant Eckert
·
Published
2026-02-13
·
Updated
2026-03-11
·
CVE-2025-33042
CVSS v3.1
7.3
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Apache Avro Java SDK versions through 1.11.4 and version 1.12.0
Description
An Improper Control of Generation of Code ('Code Injection') issue exists in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. The flaw could allow attackers to execute arbitrary code. Apache Avro is used as a serialization backbone in the big data ecosystem.
Recommendations
Upgrade to version 1.12.1 or 1.11.5 to resolve this issue.
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Avro Java Sdk