{"id":"CVE-2025-33042","details":"Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\n\nThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and versionĀ 1.12.0.\n\nUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.","aliases":["GHSA-rp46-r563-jrc7"],"modified":"2026-04-12T15:15:02.556971Z","published":"2026-02-13T12:16:07.570Z","related":["CGA-93cw-42v9-q34h"],"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/02/12/2"},{"type":"REPORT","url":"https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/avro","events":[{"introduced":"0"},{"fixed":"257db287e4cf3f3831013780e709226d4aa188d9"},{"introduced":"0"},{"last_affected":"8c27801dc8d42ccc00997f25c0b8f45f8d4a233e"},{"introduced":"0"},{"last_affected":"8c27801dc8d42ccc00997f25c0b8f45f8d4a233e"},{"introduced":"0"},{"last_affected":"8c27801dc8d42ccc00997f25c0b8f45f8d4a233e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.11.5"},{"introduced":"0"},{"last_affected":"1.12.0-NA"},{"introduced":"0"},{"last_affected":"1.12.0-rc0"},{"introduced":"0"},{"last_affected":"1.12.0-rc1"}]}}],"versions":["release-1.11.0","release-1.11.0-rc1","release-1.11.0-rc2","release-1.11.1","release-1.11.1-rc1","release-1.11.2","release-1.11.2-rc1","release-1.11.3","release-1.11.3-rc1","release-1.11.4","release-1.11.5-RC0","release-1.12.0","release-1.12.0-rc0","release-1.12.0-rc1"],"database_specific":{"vanir_signatures_modified":"2026-04-12T15:15:02Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-33042.json","vanir_signatures":[{"source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9","signature_type":"Line","target":{"file":"lang/java/compiler/src/test/java/org/apache/avro/compiler/specific/TestSpecificCompiler.java"},"signature_version":"v1","id":"CVE-2025-33042-083a1499","digest":{"threshold":0.9,"line_hashes":["291309800966843137947536545290032695159","221037608479349514828638049023753841869","315349996930919669934619115542338635801","297219962978289013949108349949537781373","272910421913207300507468130701630172916","170200307531041902844093467846247043852","257696663555733373567494095768409786221","190924354717666708339553501730895217287","224589439695360237174914848439162696008"]},"deprecated":false},{"source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9","signature_type":"Function","target":{"function":"javaAnnotations","file":"lang/java/compiler/src/main/java/org/apache/avro/compiler/specific/SpecificCompiler.java"},"signature_version":"v1","id":"CVE-2025-33042-34c672b6","digest":{"length":466,"function_hash":"32788602440209861843884792714707363535"},"deprecated":false},{"source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9","signature_type":"Line","target":{"file":"lang/java/compiler/src/main/java/org/apache/avro/compiler/specific/SpecificCompiler.java"},"signature_version":"v1","id":"CVE-2025-33042-9fc3eb30","digest":{"threshold":0.9,"line_hashes":["70771956055940442514103611574301114154","238903126193692026002511292991439891563","300906517244693446487937585945550490448","208827671120222188732267556602830336861","46262050765424080087731599745530234117","217116392064333751629977133211242667556","330199537522653320165707225666721878474","261400939099411121099566912930451212963","258504385302819325578918495081448122546","134725490339041595859278718042141308773","256881393042175191513787229119012532126","59618892000578408467121870609369899489","81974687732621857746509896468957032518","66398935291910999419497150480459600670","188714196139622641091367112218836400048","8682127004718845371017478450226688684","70374232380200534640351897473476193966","286133326394466185488886464481448443932","185531377118408463826116287966828968498","36989222978632851688226362820435483920","297969883165229994553685187753389185344","97752416601766057788212817459040229965","130648611176324906569536615708418682764","308067925127412434029531244835481049146","48450229955444445478261254704838572703","182922208540893286752063490037158396617","221583899330277162497754445847262678530","269191592085265711876533001616218781197","143193421323882948310740841132108965602","118098057086160394453256441589526704912","135885473812845987448263785048101326937","48842657684933011318605222139496299666","96374062915015664357954062759603122110","175991049823875534407563527860232381197"]},"deprecated":false},{"source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9","signature_type":"Line","target":{"file":"lang/java/ipc/src/test/java/org/apache/avro/compiler/specific/TestSpecificCompiler.java"},"signature_version":"v1","id":"CVE-2025-33042-a70e8b1e","digest":{"threshold":0.9,"line_hashes":["119733935718277627224716802179174359496","36013791008060821061663577733737481918","229007013215136918271743442596489128921","139173181423621862363735826218444014392"]},"deprecated":false},{"source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9","signature_type":"Function","target":{"function":"escapeForJavadoc","file":"lang/java/compiler/src/main/java/org/apache/avro/compiler/specific/SpecificCompiler.java"},"signature_version":"v1","id":"CVE-2025-33042-a8dc4b74","digest":{"length":80,"function_hash":"270343127961230285353372754179074138435"},"deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}