CyberSecurity news
FlagThis
@securityonline.info
//
A critical vulnerability, CVE-2025-46762, has been identified in Apache Parquet Java, a widely used open-source columnar storage format. This flaw exposes systems to potential remote code execution (RCE) attacks through insecure schema parsing in the parquet-avro module. The vulnerability resides in how Avro schemas are deserialized from metadata stored in Parquet files, potentially allowing malicious actors to inject code into the file's metadata. If an application uses parquet-avro to read Parquet files and employs the specific or reflective Avro deserialization models, processing an untrusted Parquet file could trigger unauthorized code execution during schema parsing.
The vulnerability impacts all versions of Apache Parquet Java up to and including 1.15.1, where schema parsing in the parquet-avro module allows bad actors to execute arbitrary code. While version 1.15.1 introduced restrictions on untrusted packages, the default list of trusted packages remained permissive, possibly enabling attackers to exploit the vulnerability using classes from whitelisted packages. Exploitability is contingent upon specific usage patterns, primarily when applications use parquet-avro, employ the specific or reflective Avro deserialization models, and process untrusted or user-supplied Parquet files.
To mitigate this serious threat, Apache recommends upgrading to version 1.15.2, which includes hardened default settings to prevent execution from trusted but potentially dangerous packages. Users on version 1.15.1 can explicitly set the system property org.apache. Although this vulnerability is not exploitable by default, the potential for RCE makes it a high-priority concern for organizations utilizing Apache Parquet in data-intensive applications and analytics pipelines, especially those dealing with untrusted data sources.
ImgSrc: securityonline.
References :
The vulnerability impacts all versions of Apache Parquet Java up to and including 1.15.1, where schema parsing in the parquet-avro module allows bad actors to execute arbitrary code. While version 1.15.1 introduced restrictions on untrusted packages, the default list of trusted packages remained permissive, possibly enabling attackers to exploit the vulnerability using classes from whitelisted packages. Exploitability is contingent upon specific usage patterns, primarily when applications use parquet-avro, employ the specific or reflective Avro deserialization models, and process untrusted or user-supplied Parquet files.
To mitigate this serious threat, Apache recommends upgrading to version 1.15.2, which includes hardened default settings to prevent execution from trusted but potentially dangerous packages. Users on version 1.15.1 can explicitly set the system property org.apache. Although this vulnerability is not exploitable by default, the potential for RCE makes it a high-priority concern for organizations utilizing Apache Parquet in data-intensive applications and analytics pipelines, especially those dealing with untrusted data sources.
ImgSrc: securityonline.
Share:
References :
- securityonline.info: CVE-2025-46762: Apache Parquet Java Flaw Allows Potential RCE via Avro Schema
- securityonline.info: CVE-2025-46762: Apache Parquet Java Flaw Allows Potential RCE via Avro Schema
- thecyberexpress.com: Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks
- F5 Labs All: Canary Exploit tool for CVE-2025-30065 Apache Parquet Avro Vulnerability
- BleepingComputer: Apache Parquet exploit tool detect servers vulnerable to critical flaw
- The DefendOps Diaries: TheDefendOpsDiaries about Apache Parquet
- securityaffairs.com: Canary Exploit tool allows to find servers affected by Apache Parquet flaw
- Security Risk Advisors: CVE-2025-30065 – Critical Vulnerability in Apache Parquet Enables Arbitrary Class Instantiation via Malicious Avro Files