CVE-2025-30065: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata
10.0
CVSS
Description
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
Classification
CVE ID: CVE-2025-30065
CVSS Base Severity: CRITICAL
CVSS Base Score: 10.0
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Problem Types
CWE-502 Deserialization of Untrusted DataAffected Products
Vendor: Apache Software Foundation
Product: Apache Parquet Java
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.16% (probability of being exploited)
EPSS Percentile: 37.52% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-30065https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5