CyberSecurityBoard
Sponsor Register Login

Apache Parquet Java Vulnerability Let Attackers Execute Arbitrary Code

While Apache Parquet 1.15.1 introduced a fix to restrict untrusted packages in March 2025, security researchers discovered that the default setting of trusted packages remained permissive, still allowing malicious classes from these packages to be executed. A new critical security vulnerability in Apache Parquet Java has been disclosed that could allow attackers to execute arbitrary code through specially crafted Parquet files. According to the advisory released by Apache Software Foundation, “Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code”. Security experts note this vulnerability follows a similar deserialization flaw (CVE-2025-30065) discovered in April 2025, which also affected the parquet-avro module. The vulnerability was responsibly reported by security researchers Andrew Pikler, David Handermann, and Nándor Kollár, who identified the issue as part of ongoing security research into serialization vulnerabilities. The vulnerability stems from how Avro schemas are handled during deserialization, potentially allowing attackers to inject malicious code that gets executed during schema parsing. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 05 May 2025 06:35:02 +0000


Cyber News related to Apache Parquet Java Vulnerability Let Attackers Execute Arbitrary Code

Max severity RCE flaw discovered in widely used Apache Parquet - A separate bulletin by Endor Labs highlights the risk of CVE-2025-30065 exploitation more clearly, warning that the flaw can impact any data pipelines and analytics systems that import Parquet files, with the risk being significant for files sourced ...
1 month ago Bleepingcomputer.com CVE-2025-30065
Apache Parquet Java Vulnerability Let Attackers Execute Arbitrary Code - While Apache Parquet 1.15.1 introduced a fix to restrict untrusted packages in March 2025, security researchers discovered that the default setting of trusted packages remained permissive, still allowing malicious classes from these packages to be ...
3 hours ago Cybersecuritynews.com CVE-2025-30065
Critical Apache Parquet RCE Vulnerability Lets Attackers Run Malicious Code - “The vulnerability can impact data pipelines and analytics systems that import Parquet files, particularly when those files come from external or untrusted sources,” warns Endor Labs in their security advisory. The vulnerability’s ...
1 month ago Cybersecuritynews.com CVE-2025-30065
Java 11 to 21: A Visual Guide for Seamless Migrati - One such significant transition is the migration from Java 21 to Java 11. In this comprehensive article, we embark on a journey to explore the intricacies of migrating from the cutting-edge Java 21 to the robust and widely adopted Java 11. Beyond the ...
1 year ago Feeds.dzone.com
CVE-2023-39913 - Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. ...
2 months ago
CVE-2021-41561 - Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions. ...
3 years ago
CVE-2018-1000153 - A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, ...
6 years ago
CVE-2018-1000152 - An improper authorization vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, ...
5 years ago
CVE-2018-3211 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serviceability). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181. Easily exploitable vulnerability allows low privileged ...
2 years ago
CVE-2018-2602 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: I18n). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows ...
2 years ago
CVE-2009-3874 - Integer overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary ...
6 years ago
CVE-2018-3180 - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit ...
2 years ago
CVE-2017-3511 - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE). Supported versions that are affected are Java SE: 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability ...
5 years ago
CVE-2018-3136 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows ...
2 years ago
CVE-2018-3169 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows ...
2 years ago
CVE-2019-2996 - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Deployment). The supported version that is affected is Java SE: 8u221; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker ...
2 years ago
CVE-2017-3272 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows ...
7 years ago
CVE-2017-3289 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated ...
7 years ago
CVE-2018-2641 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows ...
2 years ago
CVE-2018-2634 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JGSS). Supported versions that are affected are Java SE: 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows ...
2 years ago
CVE-2018-2814 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows ...
2 years ago
CVE-2017-10074 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows ...
2 years ago
CVE-2017-10346 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows ...
2 years ago
CVE-2017-10285 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows ...
2 years ago
CVE-2017-10087 - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows ...
2 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)