Malicious code injection vulnerability reported in Apache Parquet Java

A vulnerability has been identified in Apache Parquet Java that enables attackers to inject malicious code into the metadata of a Parquet file.

The flaw is tracked as CVE-2025-46762 (CVSS score not available). It stems from insecure schema parsing within the parquet-avro module of Apache Parquet Java, within the Avro schema. When a vulnerable system reads a compromised file, the embedded malicious code automatically executes, potentially leading to Remote Code Execution (RCE) attacks.

Systems utilizing the "specific" or "reflect" data models are at risk, while the "generic" model remains unaffected. Even with the default configuration of trusted packages introduced in version 1.15.1, certain code execution paths remain open, allowing potential exploitation through pre-approved Java packages such as java.util.

The flaw impacts all versions of Apache Parquet Java up to and including version 1.15.1. A wide range of applications that leverage the parquet-avro module in big data frameworks like Apache Spark, Hadoop, and Flink are vulnerable to this threat. These platforms rely on the module for deserialization and schema parsing, which creates a potential attack surface when processing Parquet files containing malicious Avro schema data.

The vulnerability can allow attackers to execute arbitrary code on vulnerable systems and gain access to affected environments.

Users are advised to upgrade to Apache Parquet Java 1.15.2, which resolves the issue by tightening the boundaries on trusted packages. For users on version 1.15.1 who cannot immediately upgrade, set the JVM system property -Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES="" to empty, which mitigates the risk by blocking execution of code from potentially malicious packages