Apache Parquet Java Vulnerability Let Attackers Execute Arbitrary Code

A new critical security vulnerability in Apache Parquet Java has been disclosed that could allow attackers to execute arbitrary code through specially crafted Parquet files.

 The vulnerability, tracked as CVE-2025-46762, affects all versions of Apache Parquet Java through 1.15.1.

Apache Parquet is a popular columnar storage file format designed for efficient data storage and retrieval in big data ecosystems. 

It’s widely used with processing frameworks like Apache Hadoop, Spark, and Flink, making this vulnerability potentially widespread in data analytics infrastructures.

Apache Parquet-Avro Vulnerability

The security flaw resides in the parquet-avro module, which is responsible for processing Avro schemas embedded in Parquet file metadata. 

While Apache Parquet 1.15.1 introduced a fix to restrict untrusted packages in March 2025, security researchers discovered that the default setting of trusted packages remained permissive, still allowing malicious classes from these packages to be executed.

According to the advisory released by Apache Software Foundation, “Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code”.

“While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed”.

The exploit specifically targets applications that use the “specific” or “reflect” models for reading Parquet files, while the “generic” model remains unaffected. 

This vulnerability is particularly concerning for data processing pipelines that may ingest Parquet files from untrusted sources.

Applications using Apache Parquet Java’s parquet-avro module to deserialize data from Parquet files are at risk of remote code execution if they process untrusted files. 

The vulnerability stems from how Avro schemas are handled during deserialization, potentially allowing attackers to inject malicious code that gets executed during schema parsing.

Security experts note this vulnerability follows a similar deserialization flaw (CVE-2025-30065) discovered in April 2025, which also affected the parquet-avro module.

The vulnerability was responsibly reported by security researchers Andrew Pikler, David Handermann, and Nándor Kollár, who identified the issue as part of ongoing security research into serialization vulnerabilities.

Organizations using affected versions of Apache Parquet Java are strongly advised to take immediate action. 

The Apache Parquet team released version 1.15.2 on May 1, 2025, which fully addresses the vulnerability.

Users have two recommended remediation options:

• Upgrade to Apache Parquet Java 1.15.2, which includes comprehensive fixes for the vulnerability.
• For those unable to upgrade immediately but running version 1.15.1, set the system property org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty string:

Both approaches effectively mitigate the vulnerability by preventing the execution of malicious code from trusted packages.

Organizations using Apache Parquet in their data pipelines should audit their systems immediately and apply the recommended mitigations to prevent potential exploitation.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates

The post Apache Parquet Java Vulnerability Let Attackers Execute Arbitrary Code appeared first on Cyber Security News.