CyberSecurity news
FlagThis
@csoonline.com
//
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-30065, has been discovered in Apache Parquet's Java Library. This flaw carries a maximum severity rating and could allow a remote attacker to execute arbitrary code on susceptible systems. Apache Parquet is a widely used open-source columnar data file format designed for efficient data processing and retrieval, commonly employed in big data processing frameworks like Hadoop and Spark. Given the popularity of Apache Parquet and the severity of the vulnerability, immediate action is crucial to mitigate the risk.
This critical flaw stems from the deserialization of untrusted data within the parquet-avro module of the Java library. An attacker can exploit this vulnerability by tricking a vulnerable system into processing a specially crafted Parquet file. Upon processing the malicious file, the deserialization of untrusted data allows the attacker to execute arbitrary code, potentially gaining full control over the affected system. Consequences of successful exploitation could include data exfiltration or modification, service disruption, and the deployment of malicious payloads such as ransomware.
The vulnerability impacts all versions of Apache Parquet up to and including 1.15.0. Systems and applications that utilize data pipelines and analytics frameworks, particularly those that import Parquet files from external or untrusted sources, are at heightened risk. The flaw was fixed with the release of Apache version 1.15.1. Users are strongly advised to update their Apache Parquet installations to the latest version as soon as possible to address this critical security vulnerability and prevent potential exploitation.
ImgSrc: www.csoonline.c
References :
This critical flaw stems from the deserialization of untrusted data within the parquet-avro module of the Java library. An attacker can exploit this vulnerability by tricking a vulnerable system into processing a specially crafted Parquet file. Upon processing the malicious file, the deserialization of untrusted data allows the attacker to execute arbitrary code, potentially gaining full control over the affected system. Consequences of successful exploitation could include data exfiltration or modification, service disruption, and the deployment of malicious payloads such as ransomware.
The vulnerability impacts all versions of Apache Parquet up to and including 1.15.0. Systems and applications that utilize data pipelines and analytics frameworks, particularly those that import Parquet files from external or untrusted sources, are at heightened risk. The flaw was fixed with the release of Apache version 1.15.1. Users are strongly advised to update their Apache Parquet installations to the latest version as soon as possible to address this critical security vulnerability and prevent potential exploitation.
ImgSrc: www.csoonline.c
Share:
References :
- The DefendOps Diaries: Addressing the Critical CVE-2025-30065 Vulnerability in Apache Parquet
- The Hacker News: A maximum severity security vulnerability has been disclosed in Apache Parquet's Java Library that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances.
- BleepingComputer: Max severity RCE flaw discovered in widely used Apache Parquet
- securityaffairs.com: Critical flaw in Apache Parquet’s Java Library allows remote code execution
- www.csoonline.com: Big hole in big data: Critical deserialization bug in Apache Parquet allows RCE
Classification:
- HashTags: #ApacheParquet #Vulnerability #RCE
- Target: Data processing systems
- Product: Apache Parquet
- Feature: Apache Parquet
- Malware: CVE-2025-30065
- Type: Vulnerability
- Severity: Disaster