Apache Parquet Java, Remote Code Execution, CVE-2025-XXXX (High)

By /

How the CVE Works

The vulnerability (CVE-2025-XXXX) in Apache Parquet’s `parquet-avro` module (versions ≤1.15.0) allows malicious code execution via crafted Avro schemas in Parquet file metadata. Attackers exploit Java deserialization when `specific` or `reflect` data models parse schemas, loading untrusted classes from trusted packages (e.g., java.lang). Despite fixes in 1.15.1 restricting untrusted packages, default trusted packages (like org.apache.hadoop.) remain exploitable. The `generic` model is unaffected.

DailyCVE Form

Platform: Apache Parquet Java
Version: ≤1.15.1
Vulnerability: RCE via schema
Severity: High
Date: 2025-05-06

What Undercode Say:

Exploitation:

  1. Craft malicious Parquet file: Embed Avro schema with malicious class references.

2. Trigger deserialization: Use `AvroParquetReader` with `specific`/`reflect` models.

  1. Execute payload: Trusted packages (e.g., Hadoop) load attacker-controlled classes.

Example Exploit Code (PoC):

// Malicious schema forcing class loading
{
"type": "record",
"name": "Exploit",
"fields": [{
"name": "payload",
"type": {"type": "string", "java.class": "malicious.Code"}
}]
}

Mitigation:

1. Upgrade to Parquet 1.15.2.

2. Override trusted packages:

java -Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES="" -jar app.jar

3. Use `generic` model: Avoid specific/reflect for untrusted files.

Detection Commands:

Check Parquet version in JARs
find /path/to/libs -name "parquet-avro-.jar" -exec grep -l "1.15.0" {} \;

Patch Analysis:

1.15.2 removes default trusted packages, requiring explicit whitelisting:

// Safe configuration in 1.15.2
System.setProperty("org.apache.parquet.avro.SERIALIZABLE_PACKAGES", "com.trusted.");

References:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top