Apache Software Foundation

Apache Software Foundation

A critical deserialization vulnerability (CVE-2025-46762) was disclosed in Apache Parquet Java’s parquet-avro module, affecting all versions through 1.15.1. The flaw allows an attacker supplying a crafted Parquet file with a malicious Avro schema to execute arbitrary code on any system that uses the “specific” or “reflect” Avro models for reading data. This impacts big data processing frameworks—such as Hadoop, Spark, and Flink—that rely on Parquet for high-performance columnar storage and retrieval. Exploitation can lead to full system compromise, unauthorized access to sensitive data, disruption of analytics pipelines, and potential lateral movement within enterprise networks. Although version 1.15.1 included a partial fix, the default trusted‐packages setting remained permissive, leaving the vulnerability exploitable. Organizations that process untrusted Parquet files without proper restrictions face the risk of supply‐chain attacks, malware deployment, and critical service outages. Immediate remediation requires upgrading to Parquet Java 1.15.2 or setting the org.apache.parquet.avro.SERIALIZABLE_PACKAGES property to an empty string to block execution of untrusted classes. Failure to address this issue could result in severe operational and reputational damage.

Source: https://cybersecuritynews.com/apache-parquet-java-vulnerability/

TPRM report: https://scoringcyber.rankiteo.com/company/the-apache-software-foundation

"id": "the300050525",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Technology',
                        'type': 'Big data processing frameworks'}],
 'attack_vector': 'Deserialization of untrusted data',
 'description': 'A critical deserialization vulnerability (CVE-2025-46762) was '
                'disclosed in Apache Parquet Java’s parquet-avro module, '
                'affecting all versions through 1.15.1. The flaw allows an '
                'attacker supplying a crafted Parquet file with a malicious '
                'Avro schema to execute arbitrary code on any system that uses '
                'the “specific” or “reflect” Avro models for reading data. '
                'This impacts big data processing frameworks—such as Hadoop, '
                'Spark, and Flink—that rely on Parquet for high-performance '
                'columnar storage and retrieval. Exploitation can lead to full '
                'system compromise, unauthorized access to sensitive data, '
                'disruption of analytics pipelines, and potential lateral '
                'movement within enterprise networks. Although version 1.15.1 '
                'included a partial fix, the default trusted‐packages setting '
                'remained permissive, leaving the vulnerability exploitable. '
                'Organizations that process untrusted Parquet files without '
                'proper restrictions face the risk of supply‐chain attacks, '
                'malware deployment, and critical service outages. Immediate '
                'remediation requires upgrading to Parquet Java 1.15.2 or '
                'setting the org.apache.parquet.avro.SERIALIZABLE_PACKAGES '
                'property to an empty string to block execution of untrusted '
                'classes. Failure to address this issue could result in severe '
                'operational and reputational damage.',
 'impact': {'brand_reputation_impact': 'Severe reputational damage',
            'data_compromised': 'Sensitive data',
            'operational_impact': 'Disruption of analytics pipelines',
            'systems_affected': ['Hadoop', 'Spark', 'Flink']},
 'motivation': ['System compromise',
                'Data theft',
                'Disruption of services',
                'Lateral movement'],
 'post_incident_analysis': {'corrective_actions': ['Upgrade to Parquet Java '
                                                   '1.15.2',
                                                   'Set '
                                                   'org.apache.parquet.avro.SERIALIZABLE_PACKAGES '
                                                   'to an empty string'],
                            'root_causes': 'Deserialization vulnerability in '
                                           'Apache Parquet Java’s parquet-avro '
                                           'module'},
 'recommendations': ['Upgrade to Parquet Java 1.15.2',
                     'Set org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an '
                     'empty string'],
 'response': {'containment_measures': ['Upgrade to Parquet Java 1.15.2',
                                       'Set '
                                       'org.apache.parquet.avro.SERIALIZABLE_PACKAGES '
                                       'to an empty string']},
 'title': 'Critical Deserialization Vulnerability in Apache Parquet Java',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2025-46762'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.