CVE-2025-30065NVD

Vulnerability Summary

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code

Users are recommended to upgrade to version 1.15.1, which fixes the issue.

Severity Level

CRITICAL(10.0)

Published Date

Apr 1, 2025

Last Modified

Jul 28, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-502: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v4.0 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

External References

https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5
http://www.openwall.com/lists/oss-security/2025/04/01/1
https://access.redhat.com/security/cve/CVE-2025-30065
https://github.com/apache/parquet-java/pull/3169
https://news.ycombinator.com/item?id=43603091
https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/
https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java
https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java