216.73.216.215

CVE-2025-46762

· Published 06/05/2025 10:15 · Modified 06/05/2025 10:15

Labels: CVE-2025-46762 2025-05-06CVE-2025-46762CWE-73[email protected]

Essential information

Published
06/05/2025 10:15
Modified
06/05/2025 10:15
Author
Creator
CVSS
7.1 HIGH (v3) 7.1 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
apache / parquet cpe:2.3:a:apache:parquet:1.15.0:*:*:*:*:*:*:*
apache / parquet cpe:2.3:a:apache:parquet:1.15.1:*:*:*:*:*:*:*
apache / parquet cpe:2.3:a:apache:parquet:1.15.2:*:*:*:*:*:*:*
apache / parquet-avro cpe:2.3:a:apache:parquet-avro:1.15.0:*:*:*:*:*:*:*
apache / parquet-avro cpe:2.3:a:apache:parquet-avro:1.15.1:*:*:*:*:*:*:*
apache / parquet-avro cpe:2.3:a:apache:parquet-avro:1.15.2:*:*:*:*:*:*:*

References