Vulnerability Details CVE-2025-30065
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 52.8%
CVSS Severity
CVSS v3 Score 9.8
References
- https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5
- http://www.openwall.com/lists/oss-security/2025/04/01/1
- https://access.redhat.com/security/cve/CVE-2025-30065
- https://github.com/apache/parquet-java/pull/3169
- https://news.ycombinator.com/item?id=43603091
- https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/
- https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java
- https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java
Products affected by CVE-2025-30065
-
cpe:2.3:a:apache:parquet_java:-
-
cpe:2.3:a:apache:parquet_java:1.0.0
-
cpe:2.3:a:apache:parquet_java:1.0.1
-
cpe:2.3:a:apache:parquet_java:1.1.0
-
cpe:2.3:a:apache:parquet_java:1.1.1
-
cpe:2.3:a:apache:parquet_java:1.1.2
-
cpe:2.3:a:apache:parquet_java:1.10.0
-
cpe:2.3:a:apache:parquet_java:1.10.1
-
cpe:2.3:a:apache:parquet_java:1.11.0
-
cpe:2.3:a:apache:parquet_java:1.11.1
-
cpe:2.3:a:apache:parquet_java:1.11.2
-
cpe:2.3:a:apache:parquet_java:1.12.0
-
cpe:2.3:a:apache:parquet_java:1.12.1
-
cpe:2.3:a:apache:parquet_java:1.12.2
-
cpe:2.3:a:apache:parquet_java:1.12.3
-
cpe:2.3:a:apache:parquet_java:1.12.4
-
cpe:2.3:a:apache:parquet_java:1.13.0
-
cpe:2.3:a:apache:parquet_java:1.13.1
-
cpe:2.3:a:apache:parquet_java:1.14.0
-
cpe:2.3:a:apache:parquet_java:1.14.1
-
cpe:2.3:a:apache:parquet_java:1.14.2
-
cpe:2.3:a:apache:parquet_java:1.14.3
-
cpe:2.3:a:apache:parquet_java:1.14.4
-
cpe:2.3:a:apache:parquet_java:1.15.0
-
cpe:2.3:a:apache:parquet_java:1.2.0
-
cpe:2.3:a:apache:parquet_java:1.2.1
-
cpe:2.3:a:apache:parquet_java:1.2.10
-
cpe:2.3:a:apache:parquet_java:1.2.2
-
cpe:2.3:a:apache:parquet_java:1.2.3
-
cpe:2.3:a:apache:parquet_java:1.2.4
-
cpe:2.3:a:apache:parquet_java:1.2.5
-
cpe:2.3:a:apache:parquet_java:1.2.6
-
cpe:2.3:a:apache:parquet_java:1.2.7
-
cpe:2.3:a:apache:parquet_java:1.2.8
-
cpe:2.3:a:apache:parquet_java:1.2.9
-
cpe:2.3:a:apache:parquet_java:1.3.0
-
cpe:2.3:a:apache:parquet_java:1.3.1
-
cpe:2.3:a:apache:parquet_java:1.3.2
-
cpe:2.3:a:apache:parquet_java:1.4.0
-
cpe:2.3:a:apache:parquet_java:1.4.1
-
cpe:2.3:a:apache:parquet_java:1.4.2
-
cpe:2.3:a:apache:parquet_java:1.4.3
-
cpe:2.3:a:apache:parquet_java:1.5.0
-
cpe:2.3:a:apache:parquet_java:1.6.0
-
cpe:2.3:a:apache:parquet_java:1.7.0
-
cpe:2.3:a:apache:parquet_java:1.8.0
-
cpe:2.3:a:apache:parquet_java:1.8.1
-
cpe:2.3:a:apache:parquet_java:1.8.2
-
cpe:2.3:a:apache:parquet_java:1.8.3
-
cpe:2.3:a:apache:parquet_java:1.9.0