Apache Parquet Java Vulnerability Let Attackers Execute Arbitrary Code
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A new critical security vulnerability in Apache Parquet Java has been disclosed that could allow attackers to execute arbitrary code through specially crafted Parquet files.
The vulnerability, tracked as CVE-2025-46762, affects all versions of Apache Parquet Java through 1.15.1.
Apache Parquet is a popular columnar storage file format designed for efficient data storage and retrieval in big data ecosystems.
It’s widely used with processing frameworks like Apache Hadoop, Spark, and Flink, making this vulnerability potentially widespread in data analytics infrastructures.
Apache Parquet-Avro Vulnerability
The security flaw resides in the parquet-avro module, which is responsible for processing Avro schemas embedded in Parquet file metadata.
While Apache Parquet 1.15.1 introduced a fix to restrict untrusted packages in March 2025, security researchers discovered that the default setting of trusted packages remained permissive, still allowing malicious classes from these packages to be executed.
According to the advisory released by Apache Software Foundation, “Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code”.
“While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed”.
The exploit specifically targets applications that use the “specific” or “reflect” models for reading Parquet files, while the “generic” model remains unaffected.
This vulnerability is particularly concerning for data processing pipelines that may ingest Parquet files from untrusted sources.
Applications using Apache Parquet Java’s parquet-avro module to deserialize data from Parquet files are at risk of remote code execution if they process untrusted files.
The vulnerability stems from how Avro schemas are handled during deserialization, potentially allowing attackers to inject malicious code that gets executed during schema parsing.
Security experts note this vulnerability follows a similar deserialization flaw (CVE-2025-30065) discovered in April 2025, which also affected the parquet-avro module.
The vulnerability was responsibly reported by security researchers Andrew Pikler, David Handermann, and Nándor Kollár, who identified the issue as part of ongoing security research into serialization vulnerabilities.
Risk Factors Details Affected ProductsApache Parquet Java through version 1.15.1 (specifically the parquet-avro module)ImpactArbitrary code executionExploit Prerequisites– Application uses Apache Parquet Java ≤ 1.15.1- The parquet-avro module is used- The “specific” or “reflect” Avro models are deliberately used for reading Parquet files- Attacker must supply a crafted Parquet file with a malicious Avro schemaCVSS 3.1 ScoreCritical
Organizations using affected versions of Apache Parquet Java are strongly advised to take immediate action.
The Apache Parquet team released version 1.15.2 on May 1, 2025, which fully addresses the vulnerability.
Users have two recommended remediation options:
Both approaches effectively mitigate the vulnerability by preventing the execution of malicious code from trusted packages.
Organizations using Apache Parquet in their data pipelines should audit their systems immediately and apply the recommended mitigations to prevent potential exploitation.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
Apache Parquet Java Vulnerability Let Attackers Execute Arbitrary Code
Author: Guru BaranA new critical security vulnerability in Apache Parquet Java has been disclosed that could allow attackers to execute arbitrary code through specially crafted Parquet files.
The vulnerability, tracked as CVE-2025-46762, affects all versions of Apache Parquet Java through 1.15.1.
Apache Parquet is a popular columnar storage file format designed for efficient data storage and retrieval in big data ecosystems.
It’s widely used with processing frameworks like Apache Hadoop, Spark, and Flink, making this vulnerability potentially widespread in data analytics infrastructures.
Apache Parquet-Avro Vulnerability
The security flaw resides in the parquet-avro module, which is responsible for processing Avro schemas embedded in Parquet file metadata.
While Apache Parquet 1.15.1 introduced a fix to restrict untrusted packages in March 2025, security researchers discovered that the default setting of trusted packages remained permissive, still allowing malicious classes from these packages to be executed.
According to the advisory released by Apache Software Foundation, “Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code”.
“While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed”.
The exploit specifically targets applications that use the “specific” or “reflect” models for reading Parquet files, while the “generic” model remains unaffected.
This vulnerability is particularly concerning for data processing pipelines that may ingest Parquet files from untrusted sources.
Applications using Apache Parquet Java’s parquet-avro module to deserialize data from Parquet files are at risk of remote code execution if they process untrusted files.
The vulnerability stems from how Avro schemas are handled during deserialization, potentially allowing attackers to inject malicious code that gets executed during schema parsing.
Security experts note this vulnerability follows a similar deserialization flaw (CVE-2025-30065) discovered in April 2025, which also affected the parquet-avro module.
The vulnerability was responsibly reported by security researchers Andrew Pikler, David Handermann, and Nándor Kollár, who identified the issue as part of ongoing security research into serialization vulnerabilities.
Risk Factors Details Affected ProductsApache Parquet Java through version 1.15.1 (specifically the parquet-avro module)ImpactArbitrary code executionExploit Prerequisites– Application uses Apache Parquet Java ≤ 1.15.1- The parquet-avro module is used- The “specific” or “reflect” Avro models are deliberately used for reading Parquet files- Attacker must supply a crafted Parquet file with a malicious Avro schemaCVSS 3.1 ScoreCritical
Organizations using affected versions of Apache Parquet Java are strongly advised to take immediate action.
The Apache Parquet team released version 1.15.2 on May 1, 2025, which fully addresses the vulnerability.
Users have two recommended remediation options:
- Upgrade to Apache Parquet Java 1.15.2, which includes comprehensive fixes for the vulnerability.
- For those unable to upgrade immediately but running version 1.15.1, set the system property org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty string:
Both approaches effectively mitigate the vulnerability by preventing the execution of malicious code from trusted packages.
Organizations using Apache Parquet in their data pipelines should audit their systems immediately and apply the recommended mitigations to prevent potential exploitation.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
