CVE-2025-30065
Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
Apache Software Foundation · Apache Parquet Javapublic PoCs found — 9
githubgithub.com/F5-Labs/parquet-canary-exploit-rce-poc-CVE-2025-30065★ 12githubgithub.com/bjornhels/CVE-2025-30065★ 12githubgithub.com/h3st4k3r/CVE-2025-30065★ 7githubgithub.com/mouadk/parquet-rce-poc-CVE-2025-30065★ 3githubgithub.com/ThreatRadarAI/TRAI-001-Critical-RCE-Vulnerability-in-Apache-Parquet-CVE-2025-30065-Simulation★ 1githubgithub.com/micrictor/parquet-avro-rce★ 0githubgithub.com/ron-imperva/CVE-2025-30065-PoC★ 0cve_referencegithub.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.javaunverifiedcve_referencegithub.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.javaunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://access.redhat.com/security/cve/CVE-2025-30065https://github.com/apache/parquet-java/pull/3169https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.javahttps://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.javahttps://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5https://news.ycombinator.com/item?id=43603091https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/http://www.openwall.com/lists/oss-security/2025/04/01/1