Code Execution Vulnerability in Apache Parquet's parquet-avro Module
CVE-2025-46762

7.1HIGH

Key Information:

Vendor: Apache
Status: Apache Parquet Java
Vendor: CVE Published:; 6 May 2025

Badges

👾 Exploit Exists📰 News Worthy

Summary

A vulnerability in the schema parsing of the parquet-avro module of Apache Parquet versions up to 1.15.0 allows attackers to execute arbitrary code. Although version 1.15.1 introduced a fix to limit untrusted packages, the setting for trusted packages can still permit the execution of malicious classes from these packages. Exploitation requires the use of the 'specific' or 'reflect' models for reading Parquet files, with the 'generic' model being unaffected. To mitigate this issue, users should upgrade to version 1.15.2 or configure the system property 'org.apache.parquet.avro.SERIALIZABLE_PACKAGES' to be an empty string in version 1.15.1.

Affected Version(s)

Apache Parquet Java 0 <= 1.15.1

News Articles

The Cyber Express

CVE-2025-46762

Apache Parquet Java Vulnerability CVE-2025-46762 RCE Risk

A vulnerability in Apache Parquet Java (CVE-2025-46762) exposes systems to remote code execution (RCE) attacks.

4 days ago

References

https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns...

vendor-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
May 6, 2025
👾
Exploit known to exist
May 5, 2025
📰
First article discovered by The Cyber Express
May 5, 2025
Vulnerability Reserved
Apr 29, 2025

Credit

Andrew Pikler

David Handermann

Nándor Kollár