CVE-2025-30065

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-30065
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5 Mailing List Release Notes
http://www.openwall.com/lists/oss-security/2025/04/01/1 Mailing List Third Party Advisory
https://access.redhat.com/security/cve/CVE-2025-30065 Third Party Advisory Issue Tracking
https://github.com/apache/parquet-java/pull/3169 Issue Tracking Patch
https://news.ycombinator.com/item?id=43603091 Issue Tracking Third Party Advisory
https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/ Exploit Press/Media Coverage Third Party Advisory
https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java Third Party Advisory
https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:parquet_java:*:*:*:*:*:*:*:*
History

28 Jul 2025, 14:23

Type Values Removed Values Added
References () https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5 - () https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5 - Mailing List, Release Notes
References () http://www.openwall.com/lists/oss-security/2025/04/01/1 - () http://www.openwall.com/lists/oss-security/2025/04/01/1 - Mailing List, Third Party Advisory
References () https://access.redhat.com/security/cve/CVE-2025-30065 - () https://access.redhat.com/security/cve/CVE-2025-30065 - Third Party Advisory, Issue Tracking
References () https://github.com/apache/parquet-java/pull/3169 - () https://github.com/apache/parquet-java/pull/3169 - Issue Tracking, Patch
References () https://news.ycombinator.com/item?id=43603091 - () https://news.ycombinator.com/item?id=43603091 - Issue Tracking, Third Party Advisory
References () https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/ - () https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/ - Exploit, Press/Media Coverage, Third Party Advisory
References () https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java - () https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java - Third Party Advisory
References () https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java - () https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java - Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:apache:parquet_java:*:*:*:*:*:*:*:*
First Time Apache parquet Java
Apache

07 May 2025, 13:15

Type Values Removed Values Added
References
  • () https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java -
  • () https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java -

07 Apr 2025, 03:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/security/cve/CVE-2025-30065 -
  • () https://github.com/apache/parquet-java/pull/3169 -
  • () https://news.ycombinator.com/item?id=43603091 -
  • () https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/ -

02 Apr 2025, 22:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/04/01/1 -
Summary
  • (es) El análisis del esquema en el módulo parquet-avro de Apache Parquet 1.15.0 y versiones anteriores permite que actores maliciosos ejecuten código arbitrario. Se recomienda a los usuarios actualizar a la versión 1.15.1, que soluciona el problema.

01 Apr 2025, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-01 08:15

Updated : 2025-07-28 14:23

NVD link : CVE-2025-30065

Mitre link : CVE-2025-30065

CVE.ORG link : CVE-2025-30065

JSON object : View

Products Affected

apache

  • parquet_java
CWE
CWE-502

Deserialization of Untrusted Data