CVE-2025-30065
Arbitrary Code Execution vulnerability in parquet-avro (Maven)
What is CVE-2025-30065 About?
This vulnerability, found in the parquet-avro module of Apache Parquet 1.15.0 and earlier, allows for arbitrary code execution due to improper schema parsing. It can lead to complete system compromise if exploited, and proof-of-concept exploits exist, indicating that exploitation is feasible.
Affected Software
Technical Details
The vulnerability resides in the schema parsing component of the parquet-avro module. When processing schema definitions, prior versions of Apache Parquet (up to 1.15.0) do not properly sanitize or validate certain elements. This flaw allows a malicious actor to embed or manipulate parts of the schema in a way that, when parsed by the vulnerable module, triggers unintended code execution. This could involve injecting shell commands or other executable instructions that the system would then process, ultimately leading to arbitrary code execution within the context of the affected application.
What is the Impact of CVE-2025-30065?
Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full compromise, data manipulation, or denial of service.
What is the Exploitability of CVE-2025-30065?
Exploitation likely requires the attacker to provide a specially crafted Parquet schema that is then processed by the vulnerable parquet-avro module. The complexity is moderate, as it involves understanding the schema parsing logic and identifying injection points. Authentication requirements would depend on whether the attacker can supply or modify Parquet files that are subsequently processed by the application. This is generally a remote exploitation vector if the application processes external Parquet files. The existence of proofs of concept suggests that the attack is reproducible and can be carried out by adversaries with sufficient technical skill.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| bjornhels | Link | PoC |
| F5-Labs | Link | PoC for CVE-2025-30065 |
| h3st4k3r | Link | This PoC targets CVE-2025-30065, an RCE vulnerability in Apache Parquet via Avro schema deserialization. It abuses the getDefaultValue() mechanism to instantiate arbitrary record types during... |
What are the Available Fixes for CVE-2025-30065?
Available Upgrade Options
- org.apache.parquet:parquet-avro
- <1.15.1 → Upgrade to 1.15.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://news.ycombinator.com/item?id=43603091
- https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java
- https://access.redhat.com/security/cve/CVE-2025-30065
- http://www.openwall.com/lists/oss-security/2025/04/01/1
- https://github.com/apache/parquet-java/issues/3168
- https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5
- https://github.com/apache/parquet-java
- https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java
- https://news.ycombinator.com/item?id=43603091
- https://github.com/apache/parquet-java/pull/3169
What are Similar Vulnerabilities to CVE-2025-30065?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2022-22965 , CVE-2023-49070 , CVE-2021-4104 , CVE-2023-50036
