CVE-2025-33042

EUVD-2025-206910
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and versionĀ 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA-ADPADP
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
apacheavro
𝑥
< 1.11.5
apacheavro
1.12.0
apacheavro
1.12.0:rc0
apacheavro
1.12.0:rc1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
http://www.openwall.com/lists/oss-security/2026/02/12/2