cbcvebase.
CVE-2025-30065
published 2025-04-01

CVE-2025-30065: Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
38.84%
98.4th percentile
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.

Affected

5 ranges
VendorProductVersion rangeFixed in
apacheparquet_java< 1.15.11.15.1
apache_software_foundationapache_parquet_java<= 1.15.0
msrccbl2_busybox_1.35.0-3_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

Detection & IOCsextracted from sources · hover to see the quote

otherjavax.swing.JEditorKit
  • Detect deserialization of untrusted Java classes in the parquet-avro module; the library fails to restrict which Java classes can be instantiated when reading Avro data embedded in Parquet files.
  • Monitor for unexpected outbound HTTP GET requests originating from systems processing Parquet files, which may indicate exploitation via object instantiation side effects (e.g., javax.swing.JEditorKit triggering a network callback to an attacker-controlled server).
  • Flag ingestion of Parquet files from external or unverified sources into data pipelines; exploitation requires a specially crafted Parquet file to be imported by the target system.
  • Audit and restrict the 'org.apache.parquet.avro.SERIALIZABLE_PACKAGES' configuration to limit which Java packages are permitted for deserialization in the parquet-avro module.
  • ·Exploitation requires the target system to actively import/read a specially crafted Parquet file; it is not a zero-interaction remote exploit.
  • ·The flaw does not allow full arbitrary deserialization RCE; it only triggers instantiation of a Java object, which must have a useful side effect (e.g., a network request) for the attacker to leverage.
  • ·The vulnerability is believed to have been introduced in Parquet version 1.8.0, though older releases may also be affected; all versions up to and including 1.15.0 are confirmed vulnerable.
  • ·Practical exploitation requires a specific set of circumstances and is assessed as difficult and of limited value to attackers in general environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat10.0CRITICAL
vendor_oracle9.1CRITICAL
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.