CVE-2025-30065

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code


Users are recommended to upgrade to version 1.15.1, which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
VendorProductVersion
apacheparquet_java
𝑥
< 1.15.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5
http://www.openwall.com/lists/oss-security/2025/04/01/1
https://access.redhat.com/security/cve/CVE-2025-30065
https://github.com/apache/parquet-java/pull/3169
https://news.ycombinator.com/item?id=43603091
https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/
https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java
https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java