EUVD-2025-13488

Malicious code in bioql PyPI...

Security Bulletin: Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code, which affects IBM watsonx.data

Summary Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to...

Security Bulletin: Apache Parquet Common Vulnerability reported in Cloudera offerings with IBM. Fixes available from Cloudera

Summary On April 1, 2025, a critical vulnerability in the parquet-avro module of Apache Parquet CVE-2025-30065, CVSS score 10.0 was announced. Vulnerability Details CVEID:CVE-2025-30065 DESCRIPTION: Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows ba...

Exploit for Deserialization of Untrusted Data in Apache Parquet_Java

CVE-2025-30065 == Dangerous Deserialization in Parquet-Avro 🔥...

Arbitrary Code Execution (ACE)

org.apache.parquet, parquet-avro is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to insecure schema parsing in the parquet-avro module and due to improper enforcement of package trust boundaries during deserialization, which allows an attacker to execute arbitrary code by...

ai.h2o:h2o-hive (>=3.42.0.1 <=3.46.0.11), ai.onehouse:lakeview-sync-tool (>=0.18.5 <=0.29.0) +491 more potentially affected by CVE-2025-46762 via org.apache.parquet:parquet-avro (>=1.10.0 <=1.15.1)

org.apache.parquet:parquet-avro MAVEN version =1.10.0, =3.42.0.1, =0.18.5, =0.6.1.2, =0.1.1, =0.3.0, =1.0.0, =1.0.0, =1.2.3, =1.0.0, =1.0.0, =1.0.0-beta.4, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.2 and more Source cves: CVE-2025-46762 Source advisory: SNYK:JAVA-ORGAPACHEPARQUET-10060156...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path during schema parsing. Although loading untrusted classes is no longer vulnerable via this vector as of version 1.15.1, by default an attacker who can control a trusted class can execute arbitrary...

GHSA-53WX-PR6Q-M3J5 Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be...

Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be...

CVE-2025-46762

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be...

CVE-2025-46762

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be...

CVE-2025-46762 Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be...

Apache Parquet 安全漏洞

Apache Parquet is a columnar storage format from the Apache USA Foundation. It can be used in any project in the Hadoop ecosystem. A security vulnerability exists in Apache Parquet 1.15.0 and earlier versions, which stems from parquet-avro module mode parsing allowing execution of arbitrary code...

The vulnerability of the parquet-avro module in the Apache Parquet Java library, which allows a hacker to execute arbitrary code.

The vulnerability of the parquet-avro module in the Apache Parquet Java library is related to deficiencies in the deserialization mechanism. Exploiting this vulnerability allows an attacker to execute arbitrary code during the processing of Avro schemas...

PT-2025-18792 · Apache · Apache Parquet Java

Name of the Vulnerable Software and Affected Versions: Apache Parquet versions prior to 1.15.2 Description: The vulnerability in Apache Parquet Java allows remote code execution via insecure parquet-avro module schema parsing. The issue affects versions up to 1.15.1. The parquet-avro module is...

Arbitrary Code Execution (ACE)

org.apache.parquet, parquet-avro is vulnerable to Arbitrary Code Execution. The vulnerability is due to unsafe deserialization during schema parsing in the parquet-avro module, which allows bad actors to execute arbitrary code...

The vulnerability of the parquet-avro module for columnar data storage in Apache Parquet Java allows a attacker to execute arbitrary code.

The vulnerability of the parquet-avro columnar storage format for Apache Parquet Java data processing is related to deficiencies in the deserialization mechanism. Exploiting this vulnerability allows an attacker to execute arbitrary code...

ai.h2o:h2o-hive (>=3.42.0.1 <=3.46.0.11), ai.onehouse:lakeview-sync-tool (>=0.18.5 <=0.29.0) +472 more potentially affected by CVE-2025-30065 via org.apache.parquet:parquet-avro (>=1.10.0 <=1.15.0)

org.apache.parquet:parquet-avro MAVEN version =1.10.0, =3.42.0.1, =0.18.5, =0.6.1.2, =0.1.1, =0.3.0, =1.0.0, =1.0.0, =1.2.3, =1.0.0, =1.0.0, =1.0.0-beta.4, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.2 and more Source cves: CVE-2025-30065 Source advisory: SNYK:JAVA-ORGAPACHEPARQUET-9638681...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data during schema parsing. An attacker can execute arbitrary code by passing in malicious classes as ReflectData or SpecificData inputs to the schema parser. Details Serialization is a process of converting...

GHSA-2C59-37C4-QRX5 Apache Parquet Avro Module Vulnerable to Arbitrary Code Execution

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue...