CVE-2025-33042

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-33042
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

7.3 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1 Mailing List Vendor Advisory Issue Tracking
http://www.openwall.com/lists/oss-security/2026/02/12/2 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:avro:*:*:*:*:*:-:*:*
cpe:2.3:a:apache:avro:1.12.0:-:*:*:*:-:*:*
cpe:2.3:a:apache:avro:1.12.0:rc0:*:*:*:-:*:*
cpe:2.3:a:apache:avro:1.12.0:rc1:*:*:*:-:*:*
History

20 Feb 2026, 15:07

Type Values Removed Values Added
CPE cpe:2.3:a:apache:avro:1.12.0:rc0:*:*:*:-:*:*
cpe:2.3:a:apache:avro:1.12.0:-:*:*:*:-:*:*
cpe:2.3:a:apache:avro:1.12.0:rc1:*:*:*:-:*:*
cpe:2.3:a:apache:avro:*:*:*:*:*:-:*:*
First Time Apache avro
Apache
References () https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1 - () https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1 - Mailing List, Vendor Advisory, Issue Tracking
References () http://www.openwall.com/lists/oss-security/2026/02/12/2 - () http://www.openwall.com/lists/oss-security/2026/02/12/2 - Mailing List, Third Party Advisory
Summary
  • (es) Vulnerabilidad de control inadecuado de la generación de código ('Inyección de código') en el SDK de Java de Apache Avro al generar registros específicos a partir de esquemas Avro no confiables. Este problema afecta al SDK de Java de Apache Avro: todas las versiones hasta la 1.11.4 y la versión 1.12.0. Se recomienda a los usuarios actualizar a la versión 1.12.1 o 1.11.5, que solucionan el problema.

13 Feb 2026, 19:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.3

13 Feb 2026, 13:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2026/02/12/2 -

13 Feb 2026, 12:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-13 12:16

Updated : 2026-02-20 15:07

NVD link : CVE-2025-33042

Mitre link : CVE-2025-33042

CVE.ORG link : CVE-2025-33042

JSON object : View

Products Affected

apache

  • avro
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')