CVE-2025-46762 – org.apache.parquet:parquet-avro

Package

Manager: maven
Name: org.apache.parquet:parquet-avro
Vulnerable Version: >=0 <1.15.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/RE:M/U:Amber

EPSS: 0.00129 pctl0.33091

Details

Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.

Metadata

Created: 2025-05-06T12:30:23Z
Modified: 2025-05-06T16:46:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-53wx-pr6q-m3j5/GHSA-53wx-pr6q-m3j5.json
CWE IDs: ["CWE-73"]
Alternative ID: GHSA-53wx-pr6q-m3j5
Finding: F063
Auto approve: 1