CVE-2025-30065

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5	Mailing List Release Notes
http://www.openwall.com/lists/oss-security/2025/04/01/1	Mailing List Third Party Advisory
https://access.redhat.com/security/cve/CVE-2025-30065	Third Party Advisory Issue Tracking
https://github.com/apache/parquet-java/pull/3169	Issue Tracking Patch
https://news.ycombinator.com/item?id=43603091	Issue Tracking Third Party Advisory
https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/	Exploit Press/Media Coverage Third Party Advisory
https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java	Third Party Advisory
https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:parquet_java:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-01 08:15

Updated : 2025-07-28 14:23

NVD link : CVE-2025-30065

Mitre link : CVE-2025-30065

CVE.ORG link : CVE-2025-30065

JSON object : View

Products Affected

apache

parquet_java

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-30065", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-01T08:15:15.283", "references": [{"url": "https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5", "tags": ["Mailing List", "Release Notes"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/04/01/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-30065", "tags": ["Third Party Advisory", "Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/apache/parquet-java/pull/3169", "tags": ["Issue Tracking", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://news.ycombinator.com/item?id=43603091", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/", "tags": ["Exploit", "Press/Media Coverage", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java", "tags": ["Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java", "tags": ["Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code\n\n\nUsers are recommended to upgrade to version 1.15.1, which fixes the issue."}, {"lang": "es", "value": "El an\u00e1lisis del esquema en el m\u00f3dulo parquet-avro de Apache Parquet 1.15.0 y versiones anteriores permite que actores maliciosos ejecuten c\u00f3digo arbitrario. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.15.1, que soluciona el problema."}], "lastModified": "2025-07-28T14:23:34.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:parquet_java:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC4B22E1-F482-470E-B3D5-12D6E8C4DF0F", "versionEndExcluding": "1.15.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}