CVE-2025-33042

CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code

Vendor Apache Software Foundation

Product Apache Avro Java SDK

Weakness CWE-94 · Code injection

Published February 13, 2026

Last update February 13, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

Key dates

Disclosure timeline

February 13, 2026 CVE published

February 13, 2026 Record updated

Identifiers

CVE CVE-2025-33042

CWE CWE-94

Affected versions

Vendor Apache Software Foundation

Product Apache Avro Java SDK

Affected ≤ 1.11.4

Vendor Apache Software Foundation

Product Apache Avro Java SDK

Affected 1.12.0