We use cookies to improve your experience on our site.
AVID-2026-R1679
Description
Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata (CVE-2025-30065)
Details
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
Reason for inclusion in AVID: CVE-2025-30065 describes an arbitrary code execution vulnerability in Apache Parquet Java’s parquet-avro module when reading an Avro schema from Parquet file metadata. This is a security vulnerability (RCE) in a widely-used data ingestion/processing library that is commonly part of AI/ML data pipelines. It affects software components used to build/train/deploy AI systems, representing a software supply chain risk for general-purpose AI systems. The report provides sufficient details (affected versions, CVE, fix version).
References
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Parquet Java |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-502 | CWE-502 Deserialization of Untrusted Data |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-04-01
- Version: 0.3.3
- AVID Entry