Описание
Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-30065
- https://github.com/apache/parquet-java/issues/3168
- https://github.com/apache/parquet-java/pull/3169
- https://access.redhat.com/security/cve/CVE-2025-30065
- https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java
- https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java
- https://issues.apache.org/jira/browse/AVRO-3985
- https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5
- https://news.ycombinator.com/item?id=43603091
- https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet
- http://www.openwall.com/lists/oss-security/2025/04/01/1
Пакеты
org.apache.parquet:parquet-avro
< 1.15.1
1.15.1
Связанные уязвимости
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.
Уязвимость модуля parquet-avro формата столбцового хранения для обработки данных Apache Parquet Java, позволяющая нарушителю выполнить произвольный код