GHSA-RP46-R563-JRC7 Apache Avro Java SDK is Vulnerable to Code Injection

🗓️ 13 Feb 2026 12:31:21Reported by GoogleType

osv

osv🔗 osv.dev👁 1 Views

Avro Java SDK is vulnerable to code injection from untrusted schemas; upgrade to 1.12.1 or 1.11.5.

Reporter	Title	Published	Views	Family All 50
IBM Security Bulletins	Security Bulletin: IBM Enterprise Build of Quarkus is affected by multiple vulnerabilities	15 Apr 202615:10	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM StreamSets Data Collector	9 Mar 202621:02	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Terracotta is affected by an Apache Avro vulnerability that could allow code injection leading to access to unauthorized resources	6 Mar 202619:38	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Apache Avro Java SDK affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.	4 May 202614:25	–	ibm
ATTACKERKB	CVE-2025-33042	13 Feb 202611:47	–	attackerkb
Chainguard	CVE-2025-33042 vulnerabilities	19 Feb 202607:17	–	cgr
Circl	CVE-2025-33042	12 Feb 202617:51	–	circl
CNNVD	Apache Avro Java SDK 安全漏洞	13 Feb 202600:00	–	cnnvd
CVE	CVE-2025-33042	13 Feb 202611:47	–	cve
Cvelist	CVE-2025-33042 Apache Avro Java SDK: Code injection on Java generated code	13 Feb 202611:47	–	cvelist

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-33042
github	www.github.com/apache/avro/pull/3150
github	www.github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4
github	www.github.com/apache/avro
issues	www.issues.apache.org/jira/browse/AVRO-4053
lists	www.lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
security	www.security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783
openwall	www.openwall.com/lists/oss-security/2026/02/12/2

20 May 2026 08:11Current

5.9Medium risk

Vulners AI Score5.9

CVSS 46.9

EPSS0.00057

apache avro java code injection untrusted schemas affected versions upgrade guidance