Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks

Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks

A vulnerability, tracked as CVE-2025-46762, has been found in Apache Parquet Java, allowing remote code execution through insecure schema parsing in the parquet-avro module. This flaw affects all versions up to 1.15.1, risking exploitation in various big data frameworks. Urgent steps, including upgrading to version 1.15.2 or applying specific patches, are recommended to mitigate the risk.

Keypoints :

  • A vulnerability in Apache Parquet Java allows for remote code execution (RCE) attacks through the parquet-avro module.
  • The flaw, discovered by Gang Wu and publicly disclosed on May 2, affects all versions up to 1.15.1.
  • The vulnerability enables code injection into Parquet file metadata, particularly via the Avro schema.
  • Only systems using β€œspecific” or β€œreflect” data models are at heightened risk; the β€œgeneric” model is unaffected.
  • Big data frameworks like Apache Spark, Hadoop, and Flink that use the parquet-avro module are particularly vulnerable.
  • Recommended mitigation includes upgrading to Apache Parquet Java 1.15.2 or setting a specific JVM system property to block potentially malicious packages.
  • Organizations should audit their data pipelines and prioritize using the generic Avro model to enhance security.
  • Failure to address this vulnerability could lead to data breaches and unauthorized access through supply chain exploits.
  • Security experts emphasize the critical need for swift action to protect against the severe RCE threat posed by this vulnerability.

Read More: https://thecyberexpress.com/apache-parquet-java-flaw-cve-2025-46762/