- Description
- Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.
- Source
- security@apache.org
- NVD status
- Analyzed
CVSS 4.0
- Type
- Secondary
- Base score
- 7.1
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:M/U:Amber
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@apache.org
- CWE-73
- nvd@nist.gov
- NVD-CWE-noinfo
- Hype score
- Not currently trending
Apache Parquet Java flaw CVE-2025-46762 may allow remote code execution, exposing systems using versions 1.15.1 and earlier to cyberattacks. #CyberSecurity #RemoteCodeExecution #ApacheParquet https://t.co/9UPlmVH8EN
@CyberSecTV_eu
20 May 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
“Apache Parquet”də boşluq (CVE-2025-46762) aşkar olunub #ETX #certaz #cybersecurity #kibertəhlükəsizlik #xəbərdarlıq https://t.co/3iFF1RxUDo
@CERTAzerbaijan
12 May 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-46762 🔴 HIGH (7.1) 🏢 Apache Software Foundation - Apache Parquet Java 🏗️ 0 🔗 https://t.co/hBZFycctew #CyberCron #VulnAlert #InfoSec https://t.co/xNbd5VTaaZ
@cybercronai
6 May 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-46762 Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix t… https://t.co/A9T8Kbsh8U
@CVEnew
6 May 2025
404 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical vulnerability CVE-2025-46762 found in Apache Parquet Java allows arbitrary code execution. Users urged to upgrade to version 1.15.2 immediately. #CyberSecurity #ApacheParquet #DataSecurity https://t.co/OtDTUGbUCR
@dailytechonx
5 May 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Security Alert: A critical flaw in Apache Parquet Java (CVE-2025-46762) could let attackers execute remote code via malicious Avro schemas. Affects versions ≤ 1.15.1. 🔧 Upgrade to 1.15.2 or apply mitigations now Read more https://t.co/C8gwBRHJgu #CyberSecurity #ApacheParq
@Hosainfosec
5 May 2025
35 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 A critical #RCE flaw (CVE-2025-46762) in Apache Parquet Java (<= 1.15.1) exposes big data platforms like Spark & Flink. Update to 1.15.2 ASAP. More details: https://t.co/NddDDjpOyh #ApacheParquet #CyberSecurity #Java
@threatsbank
5 May 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A serious vulnerability (CVE-2025-46762) in Apache Parquet Java allows remote code execution via insecure parquet-avro module schema parsing. All versions up to 1.15.1 are affected. Upgrade to 1.15.2. ⚠️ #JavaSecurity #DataBreach #USA link: https://t.co/PYNFcy3oLq https://t.
@TweetThreatNews
5 May 2025
40 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks https://t.co/Ts2rkYyPt2
@wvipersg
5 May 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Webmin and Apache Parquet Java face critical vulnerabilities (CVE-2025-2774 & CVE-2025-46762)! Urgent updates needed to ensure security. Learn more:https://t.co/yC3vI3wgBe #Cybersecurity #Vulnerabilities #InfoSec #Webmin https://t.co/fP4nunf1BY
@nexsecura
5 May 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Severe Remote Code Execution Threat Discovered in Apache Parquet #Java Library (#CVE-2025-46762) https://t.co/cOxnby1MZW
@UndercodeNews
5 May 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache Parquet Javaに重大な脆弱性(CVE-2025-46762)が発見された。対象はparquet-avroモジュールで、悪意あるAvroスキーマがParquetファイルのメタデータに埋め込まれていた場合、任意のコード実行が可能になる恐れが
@yousukezan
5 May 2025
1452 Impressions
0 Retweets
6 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-46762: Apache Parquet Java Flaw Allows Potential RCE via Avro Schema https://t.co/QwiuN0CNaV
@Dinosn
5 May 2025
723 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-46762: Apache Parquet Java Flaw Allows Potential RCE via Avro Schema https://t.co/37uQZMGdMj
@the_yellow_fall
5 May 2025
492 Impressions
5 Retweets
4 Likes
2 Bookmarks
0 Replies
1 Quote
CVE-2025-46762: Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata https://t.co/uvdos9wkKs
@oss_security
2 May 2025
185 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:parquet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B409A6CA-62D9-4667-825E-96EDD827FE08",
"versionEndExcluding": "1.15.2"
}
],
"operator": "OR"
}
]
}
]