CVE-2025-33042

HIGH

Apache Avro Java SDK <1.12.1-1.11.5 - Code Injection

Title source: llm

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

References (2)

Core 2

Core References

Mailing List vendor-advisory

https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1

Mailing List

http://www.openwall.com/lists/oss-security/2026/02/12/2

Scores

CVSS v3 7.3

EPSS 0.0006

EPSS Percentile 18.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-94

Status published

Products (4)

apache/avro 1.12.0 (3 CPE variants)

apache/avro < 1.11.5

org.apache.avro/avro 1.12.0 - 1.12.1Maven

org.apache.avro/avro-compiler 1.12.0 - 1.12.1Maven

Published Feb 13, 2026

Tracked Since Feb 18, 2026