Primary

Context

Apache Parquet Avro Schema Parsing Arbitrary Code Execution Vulnerability

Vulnerability

Patched

A vulnerability in the parquet-avro module of Apache Parquet in versions through 1.15.1 allows for arbitrary code execution. This issue arises during schema parsing when the 'specific' or 'reflect' models are used to read Parquet files, as the 'generic' model is not affected. While version 1.15.1 attempted to address this vulnerability by restricting untrusted packages, the default trusted package settings still permit the execution of malicious classes from those packages.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of arbitrary code within the application using the affected Parquet library.

Remediation

Users are advised to upgrade to Apache Parquet version 1.15.2. Alternatively, for those using version 1.15.1, the system property 'org.apache.parquet.avro.SERIALIZABLE_PACKAGES' can be set to an empty string to mitigate the issue.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

10.0

exploitability

4.0

remediation

8.3

relevance

0.0

threat

0.0

urgency

5.7

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

10.0

exploitability

4.0

remediation

8.3

relevance

0.0

threat

0.0

urgency

5.7

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Parquet Avro Schema Parsing Arbitrary Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Parquet

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating