CVE-2025-30065 CRITICAL

CVE-2025-30065: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata

Vendor Apache Software Foundation

Product Apache Parquet Java

Weakness CWE-502 · Unsafe deserialization

Published April 1, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

Description

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.

Key dates

Disclosure timeline

April 1, 2025 CVE published

February 26, 2026 Record updated

Identifiers

CVE CVE-2025-30065

CWE CWE-502

CVSS 10.0 / CRITICAL

Affected versions

Vendor Apache Software Foundation

Product Apache Parquet Java

Affected ≤ 1.15.0