Critical Apache Parquet Vulnerability Allows Remote Code Execution

A severe vulnerability has been identified in the Apache Parquet Java library, specifically within its parquet-avro module.

This flaw, tracked as CVE-2025-30065, exposes systems to potential Remote Code Execution (RCE) attacks.

It has been rated Critical with a CVSS score of 10.0, indicating the highest level of severity. The root cause is categorized as Deserialization of Untrusted Data (CWE-502).

The vulnerability impacts systems that process or import Parquet files, particularly those obtained from untrusted or external sources.

Affected Products

According to the Openwall reports, the issue is present in Apache Parquet Java library versions 1.15.0 and earlier. It was introduced in version 1.8.0, making all subsequent versions up to 1.15.0 vulnerable.

Popular big data and analytics frameworks, as well as custom applications leveraging the Parquet library, are affected. Below is a summary of the affected versions and the mitigation available:

Product/Component	Affected Versions	Fixed Version
Apache Parquet Java (parquet-avro)	1.8.0 through 1.15.0	1.15.1

Organizations using frameworks such as Apache Hadoop, Spark, or Flink that integrate Parquet for data processing should prioritize upgrading to the patched version as soon as possible.

Vulnerability Details and Potential Impact

The vulnerability stems from the improper parsing of Avro schema metadata in Parquet files.

Specifically, a crafted Parquet file can exploit the parquet-avro module’s deserialization process, allowing attackers to execute arbitrary code on the targeted system.

Risks:

1. Remote Code Execution (RCE): Attackers can gain full control of vulnerable systems.
2. Data Breach and Tampering: Sensitive information could be accessed, modified, or stolen.
3. Malware Deployment: Systems could be compromised by ransomware, cryptominers, or other malicious software.
4. Service Disruption: Exploitation may lead to denial of service (DoS) or system corruption.

Affected systems risk complete compromise of confidentiality, integrity, and availability – making mitigation a top priority.

As of April 2025, no active exploitation of the vulnerability has been reported in the wild.

However, the disclosure of this vulnerability means attackers could develop exploits at any time. Organizations must act proactively to secure their systems.

Mitigation and Recommendations

To address the vulnerability, users are strongly advised to:

• Upgrade the library to version 1.15.1, which contains the official fix.
• Avoid processing untrusted Parquet files until the update is applied.
• For extra precaution, implement sandboxing or input validation mechanisms to limit the risk posed by potentially malicious files.

The vulnerability was discovered by Keyi Li of Amazon and disclosed responsibly.

By taking prompt action, organizations can prevent potential exploitation and bolster the security of their data processing pipelines.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!