CVE-2023-47248

CVE-2023-47248: PyArrow, PyArrow: Arbitrary code execution when loading a malicious data file

Vendor Apache Software Foundation
Product PyArrow
Weakness CWE-502 · Unsafe deserialization
Published November 9, 2023
Last update February 13, 2025
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings. It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon. If it is not possible to upgrade, we provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.

Key dates

02Disclosure timeline

November 9, 2023 CVE published
February 13, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2020-7811 Samsung Update Local Privilege Escalation Vulnerability CVE-2023-39476 Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability CVE-2022-41922 yiisoft/yii before v1.1.27 vulnerable to Remote Code Execution if the application calls `unserialize()` on arbitrary user input CVE-2024-10749 ThinkAdmin Plugs.php script deserialization CVE-2025-13714 Tencent MedicalNet generate_model Deserialization of Untrusted Data Remote Code Execution Vulnerability