CVE-2025-30065
published 2025-04-01CVE-2025-30065: Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
38.84%
98.4th percentile
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | parquet_java | < 1.15.1 | 1.15.1 |
| apache_software_foundation | apache_parquet_java | <= 1.15.0 | — |
| msrc | cbl2_busybox_1.35.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect deserialization of untrusted Java classes in the parquet-avro module; the library fails to restrict which Java classes can be instantiated when reading Avro data embedded in Parquet files. ↗
- →Monitor for unexpected outbound HTTP GET requests originating from systems processing Parquet files, which may indicate exploitation via object instantiation side effects (e.g., javax.swing.JEditorKit triggering a network callback to an attacker-controlled server). ↗
- →Flag ingestion of Parquet files from external or unverified sources into data pipelines; exploitation requires a specially crafted Parquet file to be imported by the target system. ↗
- →Audit and restrict the 'org.apache.parquet.avro.SERIALIZABLE_PACKAGES' configuration to limit which Java packages are permitted for deserialization in the parquet-avro module. ↗
- ·Exploitation requires the target system to actively import/read a specially crafted Parquet file; it is not a zero-interaction remote exploit. ↗
- ·The flaw does not allow full arbitrary deserialization RCE; it only triggers instantiation of a Java object, which must have a useful side effect (e.g., a network request) for the attacker to leverage. ↗
- ·The vulnerability is believed to have been introduced in Parquet version 1.8.0, though older releases may also be affected; all versions up to and including 1.15.0 are confirmed vulnerable. ↗
- ·Practical exploitation requires a specific set of circumstances and is assessed as difficult and of limited value to attackers in general environments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat10.0CRITICAL
vendor_oracle9.1CRITICAL
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle NoSQL Database Risk Matrix: Administration (Apache Parquet Java) — CVE-2025-30065
vendor_oracle·2026-01-15·CVSS 7.0
CVE-2025-30065 [CRITICAL] Oracle Oracle NoSQL Database Risk Matrix: Administration (Apache Parquet Java) — CVE-2025-30065
Oracle Oracle NoSQL Database Risk Matrix: Administration (Apache Parquet Java) vulnerability
CVE: CVE-2025-30065
CVSS: 7.0
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpujan2026 (JAN 2026)
Oracle
Oracle Oracle Analytics Risk Matrix: Analytics Server (Apache Parquet Java) — CVE-2025-30065
vendor_oracle·2025-07-15·CVSS 9.1
CVE-2025-30065 [CRITICAL] Oracle Oracle Analytics Risk Matrix: Analytics Server (Apache Parquet Java) — CVE-2025-30065
Oracle Oracle Analytics Risk Matrix: Analytics Server (Apache Parquet Java) vulnerability
CVE: CVE-2025-30065
CVSS: 9.1
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Red Hat
org.apache.parquet/parquet-avro: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata
vendor_redhat·2025-04-01·CVSS 10.0
CVE-2025-30065 [CRITICAL] CWE-502 org.apache.parquet/parquet-avro: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata
org.apache.parquet/parquet-avro: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
A flaw was found in the parquet-avro module of Apache Parquet. This vulnerability allows attackers to execute arbitrary code via schema parsing.
Statement: Camel Spring Boot product is not affected by this vulnerability since the listed components are not supported.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising
Microsoft
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
vendor_msrc·2022-05-10·CVSS 7.8
CVE-2022-30065 [HIGH] CWE-416 A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mar
GHSA
Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution
ghsa·2025-04-01
CVE-2025-30065 [CRITICAL] CWE-502 Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution
Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
OSV
Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution
osv·2025-04-01
CVE-2025-30065 [CRITICAL] Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution
Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Apache Parquet exploit tool detect servers vulnerable to critical flaw
blogs_bleepingcomputer·2025-05-06·CVSS 10.0
CVE-2025-30065 [CRITICAL] Apache Parquet exploit tool detect servers vulnerable to critical flaw
## Apache Parquet exploit tool detect servers vulnerable to critical flaw
## Bill Toulas
A proof-of-concept exploit tool has been publicly released for a maximum severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it easy to find vulnerable servers.
The tool was released by F5 Labs researchers who investigated the vulnerability after finding that multiple existing PoCs were either weak or completely non-functional.
The tool serves as proof of CVE-2025-30065's practical exploitability and can also help administrators evaluate their environments and secure servers.
Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.
The flaw w
Wiz
Crying Out Cloud Newsletter - May 2025 | Wiz
blogs_wiz·2025-05-01·CVSS 10.0
CVE-2025-32433 [CRITICAL] Crying Out Cloud Newsletter - May 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
Here are our top picks of cloud security highlights!
Hype or no hype – Critical Vulnerability in Erlang/OTP SSH Implementation
CVE-2025-32433 is a critical vulnerability (CVSS 10.0) in the Erlang/Open Telecom Platform (OTP) SSH implementation that allows unauthenticated remote attackers to execute arbitrary code by exploiting flaws in how the SSH protocol sequence is handled. Specifically, the vulnerability stems from the improper enforcement of message ordering, enabling attackers to send malicious SSH protocol messages before authentication and gain code executi
Bleepingcomputer
Max severity RCE flaw discovered in widely used Apache Parquet
blogs_bleepingcomputer·2025-04-03·CVSS 10.0
[CRITICAL] Max severity RCE flaw discovered in widely used Apache Parquet
## Max severity RCE flaw discovered in widely used Apache Parquet
## Bill Toulas
A maximum severity remote code execution (RCE) vulnerability has been discovered impacting all versions of Apache Parquet up to and including 1.15.0.
The problem stems from the deserialization of untrusted data that could allow attackers with specially crafted Parquet files to gain control of target systems, exfiltrate or modify data, disrupt services, or introduce dangerous payloads such as ransomware.
The vulnerability is tracked under CVE-2025-30065 and has a CVSS v4 score of 10.0. The flaw was fixed with the release of Apache version 1.15.1.
It should be noted that to exploit this flaw, threat actors must convince someone to import a specially crafted Parquet file.
## Severe threat to "big data" envi
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5http://www.openwall.com/lists/oss-security/2025/04/01/1https://access.redhat.com/security/cve/CVE-2025-30065https://github.com/apache/parquet-java/pull/3169https://news.ycombinator.com/item?id=43603091https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.javahttps://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java
2025-04-01
Published