CVE-2025-33042
Code Injection vulnerability in avro (Maven)
What is CVE-2025-33042 About?
This vulnerability is a Code Injection flaw in the Apache Avro Java SDK, occurring when generating specific records from untrusted Avro schemas. It allows an attacker to inject and execute arbitrary code. The exploitation difficulty depends on the context of schema generation but can be moderate if untrusted schemas are processed.
Affected Software
- org.apache.avro:avro
- <1.11.5
- >=1.12.0, <1.12.1
Technical Details
The vulnerability, categorized as 'Improper Control of Generation of Code' (Code Injection), exists in the Apache Avro Java SDK across all versions through 1.11.4 and version 1.12.0. It manifests when the SDK is used to generate specific records based on untrusted Avro schemas. An attacker can craft a malicious Avro schema that, when processed by the vulnerable SDK, will cause the SDK to generate or execute arbitrary code. This typically involves manipulating schema definitions to include elements that the SDK interprets as executable code during record generation, leading to code injection.
What is the Impact of CVE-2025-33042?
Successful exploitation may allow attackers to execute arbitrary code within the compromised system, potentially leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2025-33042?
Exploitation typically involves crafting a malicious Avro schema and supplying it to a system that uses the vulnerable Apache Avro Java SDK. The complexity depends on how untrusted schemas are handled; if such schemas are processed without adequate sanitization or validation, the complexity is moderate. Authentication requirements would depend on whether an attacker can supply schemas to the system without prior authentication. Privilege requirements are typically those of the application processing the schema. This could be exploited remotely if the application takes untrusted Avro schemas from external sources. A key constraint is the method by which untrusted schemas are introduced and processed by the SDK. The risk is heightened in environments where arbitrary Avro schemas are parsed or deserialized.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-33042?
Available Upgrade Options
- org.apache.avro:avro
- <1.11.5 → Upgrade to 1.11.5
- org.apache.avro:avro
- >=1.12.0, <1.12.1 → Upgrade to 1.12.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4
- https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
- https://github.com/apache/avro/pull/3150
- https://osv.dev/vulnerability/GHSA-rp46-r563-jrc7
- https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
- https://nvd.nist.gov/vuln/detail/CVE-2025-33042
- http://www.openwall.com/lists/oss-security/2026/02/12/2
- https://issues.apache.org/jira/browse/AVRO-4053
- http://www.openwall.com/lists/oss-security/2026/02/12/2
- https://github.com/apache/avro
What are Similar Vulnerabilities to CVE-2025-33042?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2023-44487 , CVE-2023-44246 , CVE-2023-31118 , CVE-2023-28682
