PyArrow, PyArrow: Arbitrary code execution when loading a malicious data file
CVE-2023-47248

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Pyarrow
Vendor: CVE Published:; 9 November 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 85%

What is CVE-2023-47248?

A deserialization vulnerability exists in PyArrow, specifically in its handling of Arrow IPC, Feather, and Parquet data. This flaw enables potential adversaries to execute arbitrary code during data reading processes when using vulnerable versions of PyArrow (0.14.0 to 14.0.0) with untrusted input sources. Users are strongly urged to update to PyArrow version 14.0.1 or later. For those unable to upgrade immediately, a hotfix is available through a separate package to mitigate the risk on older versions.

Affected Version(s)

PyArrow 0.14.0 <= 14.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

pyarrow-CVE-2023-47248
Created by Prodigysec

References

https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cy...

vendor-advisory

https://github.com/apache/arrow/commit/f14170976372436ec1...

patch

https://pypi.org/project/pyarrow-hotfix/

mitigation

EPSS Score

85% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 28, 2025
👾
Exploit known to exist
Dec 28, 2025
Vulnerability published
Nov 9, 2023
Vulnerability Reserved
Nov 4, 2023

Credit

Li Jiakun - laoquanshi

JSON

Apache

Badges

What is CVE-2023-47248?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

EPSS Score

CVSS V3.1

Timeline

Credit