CVE-2025-46762

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp	Mailing List
http://www.openwall.com/lists/oss-security/2025/05/02/1	Mailing List

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:parquet:*:*:*:*:*:*:*:*

History

13 May 2025, 20:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-06 10:15

Updated : 2025-05-13 20:25

NVD link : CVE-2025-46762

Mitre link : CVE-2025-46762

CVE.ORG link : CVE-2025-46762

JSON object : View

Products Affected

apache

parquet

CWE

CWE-73

External Control of File Name or Path

NVD-CWE-noinfo

{"id": "CVE-2025-46762", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-06T10:15:16.047", "references": [{"url": "https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/05/02/1", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-73"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code.\n\nWhile 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed.\n\nThe exploit is only applicable if the client code of parquet-avro uses the \"specific\" or the \"reflect\" models deliberately for reading Parquet files. (\"generic\" model is not impacted)\n\nUsers are recommended to upgrade to 1.15.2 or set the system property \"org.apache.parquet.avro.SERIALIZABLE_PACKAGES\" to an empty string on 1.15.1. Both are sufficient to fix the issue."}, {"lang": "es", "value": "El an\u00e1lisis de esquemas en el m\u00f3dulo parquet-avro de Apache Parquet 1.15.0 y versiones anteriores permite a actores maliciosos ejecutar c\u00f3digo arbitrario. Si bien la versi\u00f3n 1.15.1 introdujo una correcci\u00f3n para restringir los paquetes no confiables, la configuraci\u00f3n predeterminada de los paquetes confiables a\u00fan permite la ejecuci\u00f3n de clases maliciosas de estos paquetes. El exploit solo es aplicable si el c\u00f3digo cliente de parquet-avro utiliza deliberadamente los modelos \"specific\" o \"reflect\" para leer archivos de Parquet. (El modelo \"gen\u00e9rico\" no se ve afectado). Se recomienda a los usuarios actualizar a la versi\u00f3n 1.15.2 o configurar la propiedad del sistema \"org.apache.parquet.avro.SERIALIZABLE_PACKAGES\" con una cadena vac\u00eda en la versi\u00f3n 1.15.1. Ambas opciones son suficientes para solucionar el problema."}], "lastModified": "2025-05-13T20:25:00.003", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:parquet:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B409A6CA-62D9-4667-825E-96EDD827FE08", "versionEndExcluding": "1.15.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}