{"id":"CVE-2025-30065","details":"Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code\n\n\nUsers are recommended to upgrade to version 1.15.1, which fixes the issue.","aliases":["GHSA-2c59-37c4-qrx5"],"modified":"2026-04-10T05:24:39.993669Z","published":"2025-04-01T08:15:15.283Z","related":["CGA-r893-75v8-559q"],"references":[{"type":"ADVISORY","url":"https://github.com/h3st4k3r/CVE-2025-30065/blob/main/POC-CVE-2025-30065-ParquetExploitGenerator.java"},{"type":"ADVISORY","url":"https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/okzqb3kn479gqzxm21gg5vqr35om9gw5"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/04/01/1"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-30065"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=43603091"},{"type":"FIX","url":"https://github.com/apache/parquet-java/pull/3169"},{"type":"EVIDENCE","url":"https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/parquet-java","events":[{"introduced":"0"},{"fixed":"c7257b8faff5699e13bbc781679dc03f48c1102a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.15.1"}]}}],"versions":["apache-parquet-1.10.0","apache-parquet-1.11.0","apache-parquet-1.11.0-rc6","apache-parquet-1.11.0-rc7","apache-parquet-1.12.0","apache-parquet-1.12.0-rc0","apache-parquet-1.12.0-rc1","apache-parquet-1.12.0-rc2","apache-parquet-1.12.0-rc3","apache-parquet-1.12.0-rc4","apache-parquet-1.15.0","apache-parquet-1.15.0-rc1","apache-parquet-1.15.0-rc2","apache-parquet-1.8.0","apache-parquet-1.8.1","apache-parquet-1.9.0","apache-parquet-mr-1.6.0-incubating","parquet-1.0.0","parquet-1.0.1","parquet-1.1.0","parquet-1.1.1","parquet-1.2.0","parquet-1.2.1","parquet-1.2.10","parquet-1.2.2","parquet-1.2.3","parquet-1.2.4","parquet-1.2.5","parquet-1.2.6","parquet-1.2.7","parquet-1.2.8","parquet-1.2.9","parquet-1.3.0","parquet-1.3.1","parquet-1.3.2","parquet-1.4.0","parquet-1.4.1","parquet-1.4.2","parquet-1.4.3","parquet-1.5.0","parquet-1.6.0rc1","parquet-1.6.0rc2","parquet-1.6.0rc5","parquet-1.6.0rc6","parquet-1.6.0rc7","parquet-1.8.0rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30065.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}