A critical deserialization vulnerability (CVE-2025-46762) was disclosed in Apache Parquet Java’s parquet-avro module, affecting all versions through 1.15.1. The flaw allows an attacker supplying a crafted Parquet file with a malicious Avro schema to execute arbitrary code on any system that uses the “specific” or “reflect” Avro models for reading data. This impacts big data processing frameworks—such as Hadoop, Spark, and Flink—that rely on Parquet for high-performance columnar storage and retrieval. Exploitation can lead to full system compromise, unauthorized access to sensitive data, disruption of analytics pipelines, and potential lateral movement within enterprise networks. Although version 1.15.1 included a partial fix, the default trusted‐packages setting remained permissive, leaving the vulnerability exploitable. Organizations that process untrusted Parquet files without proper restrictions face the risk of supply‐chain attacks, malware deployment, and critical service outages. Immediate remediation requires upgrading to Parquet Java 1.15.2 or setting the org.apache.parquet.avro.SERIALIZABLE_PACKAGES property to an empty string to block execution of untrusted classes. Failure to address this issue could result in severe operational and reputational damage.
Source: https://cybersecuritynews.com/apache-parquet-java-vulnerability/
"id": "the300050525",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"