CVE-2025-46762

HIGH

Apache Parquet <1.15.0 - RCE

Title source: llm

Description

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.

References (2)

[Mailing List] https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp

[Mailing List] http://www.openwall.com/lists/oss-security/2025/05/02/1

Scores

CVSS v3 8.1

EPSS 0.0038

EPSS Percentile 59.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-73

Status published

Affected Products (2)

apache/parquet < 1.15.2

org.apache.parquet/parquet-avro < 1.15.2Maven

Timeline

Published May 06, 2025

Tracked Since Feb 18, 2026