CVE-2025-30065

Опубликовано: 01 апр. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code

Users are recommended to upgrade to version 1.15.1, which fixes the issue.

Ссылки

https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5
Mailing List
Release Notes
http://www.openwall.com/lists/oss-security/2025/04/01/1
Mailing List
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2025-30065
Issue Tracking
Third Party Advisory
https://github.com/apache/parquet-java/pull/3169
Issue Tracking
Patch
https://news.ycombinator.com/item?id=43603091
Issue Tracking
Third Party Advisory
https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/
Exploit
Press/Media Coverage
Third Party Advisory
https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java
Third Party Advisory
https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:parquet_java:*:*:*:*:*:*:*:*

Версия до 1.15.1 (исключая)

EPSS

Процентиль: 63%

0.00443

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-502

Связанные уязвимости

CVE-2025-30065

CVSS3: 10

redhat

10 месяцев назад

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.

GHSA-2c59-37c4-qrx5

github

10 месяцев назад

Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution

BDU:2025-03991