Critical Remote Code Execution flaw reported in Apache Parquet Java library
Take action: This patch may be quite complicated, since Apache Parquet library is integrated in a lot of services. Start by doing an inventory of components you are running with Parquet library. Check if Parquet files are arriving from sources you control or you accept files from outside sources. If you accept data from outside sources, start patching IMMEDIATELY or implement controls on the incoming files. Otherwise, it's still a quick patch, but not a panic mode. With the available PoC, this became even more important to patch or isolate.
Learn More
A maximum severity critical security vulnerability has been discovered in Apache Parquet's Java library, affecting all versions up to and including 1.15.0.
The flaw is tracked as CVE-2025-30065 (CVSS score 10) is a Deserialization of Untrusted Data that allows for remote code execution through deserialization of untrusted data when processing specially crafted Parquet files.
This vulnerability can allow attackers who provide specially crafted Parquet files to execute arbitrary code on the target system, gain complete control of affected systems, access, steal, or modify sensitive data, install malicious software or disrupt services causing denial of service and business downtime
The vulnerability affects any application or service using vulnerable versions of the Apache Parquet Java library, including:
- Big data frameworks (Hadoop, Spark, Flink)
- Cloud services (AWS, Google Cloud, Azure)
- Data lakes and ETL tools
- Custom applications incorporating Parquet Java code
Major companies known to use Parquet include Netflix, Uber, Airbnb, and LinkedIn.
As of early April 2025, there are no known reports of active exploitation in the wild. However, since the vulnerability is now public knowledge, exploitation attempts are likely to emerge soon.
The flaw is fixed in version 1.15.1. Users are advised to upgrade to Apache Parquet Java 1.15.1 or later immediately. If immediate upgrading is not possible:
- Avoid processing Parquet files from untrusted sources
- Implement validation for Parquet files before processing
- Scan file schemas or structures for anomalies
Update - as of 6th of May 2025, F5 Labs has published a "canary exploit" PoC tool that demonstrates the vulnerability by:
- Generating a parquet/avro file that triggers object instantiation of javax.swing.JEditorKit (a class included with Java)
- Using a single String argument that gets treated as a URL, causing an HTTP GET request
- Registering a canary URL to easily detect if the vulnerability has been triggered
Users can test their environments with this tool to check whether they are vulnerable. But hackers will also use this tool to build their attack toolkit.
