Pierluigi Paganini April 04, 2025

Experts warn of a critical vulnerability impacting Apache Parquet’s Java Library that could allow remote code execution.

Apache Parquet’s Java Library is a software library for reading and writing Parquet files in the Java programming language. Parquet is a columnar storage file format that is optimized for use with large-scale data processing frameworks, such as Apache Hadoop, Apache Spark, and Apache Drill.

Experts disclosed a critical vulnerability, tracked as CVE-2025-30065 (CVSS score of 10.0), impacting Apache Parquet’s Java Library that could allow remote code execution

“Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code” reads the advisory.

The vulnerability CVE-2025-30065 is a Deserialization of Untrusted Data issue. The flaw affects systems importing Parquet files, especially from untrusted sources, and can be exploited by attackers tampering with the files. Versions 1.15.0 and earlier are vulnerable, with the flaw traced back to version 1.8.0. This impacts big-data frameworks (e.g., Hadoop, Spark, Flink) and custom applications using Parquet. Users should verify their software stack for this issue.

“If an attacker tricks a vulnerable system into reading a specially crafted Parquet file, they could gain remote code execution (RCE) on that system​.” reads a report published by Endor Labs. “In practice, this might allow them to:

• Take control of the system: They could run any commands or software, effectively gaining control​.
• Steal or tamper with data: Sensitive information could be accessed, copied, or modified.
• Install malware: The attacker might deploy ransomware, cryptominers, or other malicious software.
• Disrupt services: They could shut down services or corrupt data, causing denial of service and business downtime.

“All confidentiality, integrity, and availability of the affected system are at risk (in CVSS terms, “High” impact on all three)​. Despite the frightening potential, it’s important to note that the vulnerability can only be exploited if a malicious Parquet file is imported.”

According to Endor Labs, as of April 2025, there are no known active exploits for this vulnerability. However, with the issue now public, threat actors may attempt to exploit it. The researchers urge users to address the issue immediately.

To protect your systems from CVE-2025-30065, upgrade Apache Parquet Java to version 1.15.1 or later. If that’s not possible, avoid or validate Parquet files from untrusted sources and implement input validation. Enable monitoring and logging to detect suspicious behavior, and stay informed on updates from Apache or cybersecurity authorities. Applying these actions will reduce risks and protect your systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Parquet’s Java Library)