CVE-2025-30065

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.

CVSS

No CVSS.

References

Link	Resource
https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5
http://www.openwall.com/lists/oss-security/2025/04/01/1
https://access.redhat.com/security/cve/CVE-2025-30065
https://github.com/apache/parquet-java/pull/3169
https://news.ycombinator.com/item?id=43603091
https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/

Configurations

No configuration.

History

07 Apr 2025, 03:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/security/cve/CVE-2025-30065 - () https://github.com/apache/parquet-java/pull/3169 - () https://news.ycombinator.com/item?id=43603091 - () https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/ -

02 Apr 2025, 22:15

Type	Values Removed	Values Added
Summary		(es) El análisis del esquema en el módulo parquet-avro de Apache Parquet 1.15.0 y versiones anteriores permite que actores maliciosos ejecuten código arbitrario. Se recomienda a los usuarios actualizar a la versión 1.15.1, que soluciona el problema.
References		() http://www.openwall.com/lists/oss-security/2025/04/01/1 -

01 Apr 2025, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-01 08:15

Updated : 2025-04-07 03:15

NVD link : CVE-2025-30065

Mitre link : CVE-2025-30065

CVE.ORG link : CVE-2025-30065

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-30065", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-01T08:15:15.283", "references": [{"url": "https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5", "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/04/01/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-30065", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/apache/parquet-java/pull/3169", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://news.ycombinator.com/item?id=43603091", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code\n\n\nUsers are recommended to upgrade to version 1.15.1, which fixes the issue."}, {"lang": "es", "value": "El an\u00e1lisis del esquema en el m\u00f3dulo parquet-avro de Apache Parquet 1.15.0 y versiones anteriores permite que actores maliciosos ejecuten c\u00f3digo arbitrario. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.15.1, que soluciona el problema."}], "lastModified": "2025-04-07T03:15:21.750", "sourceIdentifier": "security@apache.org"}