A critical security vulnerability has been disclosed in Apache Parquet’s Java Library, tracked as CVE-2025-30065. If successfully exploited, the flaw could allow remote attackers to execute arbitrary code on vulnerable systems. This vulnerability affects all versions of Apache Parquet up to and including version 1.15.0. The issue resides in the parquet-avro module, where improper schema parsing allows attackers to exploit the flaw, which carries a CVSS score of 10.0, marking it as highly severe. Keyi Li of Amazon discovered and reported the flaw, and Apache addressed the issue in version 1.15.1.
The vulnerability in question allows attackers to manipulate Parquet files in such a way that they can execute arbitrary code when the affected system processes those files. Specifically, by crafting malicious Parquet files and tricking vulnerable systems into processing them, attackers can take control of the system. This can lead to significant security risks, particularly for data pipelines and analytics systems that process Parquet files sourced from untrusted or external parties. The flaw allows for potential remote code execution, which could result in unauthorized access and full system compromise.
Although there has been no evidence of the flaw being actively exploited, it remains a significant concern due to its potential for widespread impact. The vulnerability primarily affects data processing systems that rely on Apache Parquet for managing and analyzing large datasets. Given the nature of Parquet files and their common use in industries dealing with sensitive data, such as financial services or healthcare, the exploitation of this flaw could have severe consequences, including data theft, loss of data integrity, and system downtime. The Apache team has urged all users of versions up to 1.15.0 to upgrade to version 1.15.1 to mitigate the risk.
This disclosure is part of a broader trend where attackers increasingly target vulnerabilities in widely used software platforms. Similar flaws have been actively exploited in other widely used projects, such as Apache Tomcat, which also had a critical vulnerability that was exploited shortly after public disclosure. Organizations should prioritize timely updates and patches to reduce the risk posed by such vulnerabilities.
