Emergency Security Bulletin: Apache Parquet RCE Vulnerability

featured image

By: RedLegg's Cyber Threat Intelligence Team

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES:

Apache Parquet Java Schema Parsing Remote Code Execution Vulnerability

CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-30065
Exploit or Proof of Concept (PoC): As of now, there are no public reports of active exploitation or available proof-of-concept exploits for this vulnerability.
Update: CVE-2025-30065 – Apache Security Advisory

Description: CVE-2025-30065 is a critical remote code execution vulnerability in the parquet-avro module of Apache Parquet Java versions up to and including 1.15.0. The flaw arises from the deserialization of untrusted data during schema parsing, allowing attackers to execute arbitrary code by tricking a vulnerable system into processing a specially crafted Parquet file. This vulnerability poses significant risks to data pipelines and analytics systems that import Parquet files, especially those sourced from external or untrusted origins..

Mitigation Recommendation: Administrators and users are strongly advised to upgrade to Apache Parquet Java version 1.15.1 immediately to remediate this vulnerability. In scenarios where immediate upgrading is not feasible, it is crucial to avoid processing Parquet files from untrusted sources and to implement stringent input validation and deserialization controls to mitigate potential exploitation.

Note: Given the critical nature of this vulnerability and the widespread use of Apache Parquet in big data environments, prompt action is essential to safeguard systems against potential exploitation. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of data processing infrastructures.