Analysis Summary

A critical remote code execution vulnerability, tracked as CVE-2025-46762, has been disclosed in Apache Parquet Java, specifically affecting all versions up to 1.15.1. The flaw resides in the parquet-avro module, which handles Avro schema parsing within Parquet files, a format widely used in data ecosystems like Apache Hadoop, Spark, and Flink. The vulnerability allows attackers to execute arbitrary code by supplying maliciously crafted Parquet files containing harmful Avro schemas, particularly when applications use the “specific” or “reflect” Avro models for deserialization. The “generic” model remains unaffected.

This security flaw arises from the handling of trusted packages during schema deserialization. Although version 1.15.1 attempted to address the issue by introducing restrictions on untrusted packages, its default configuration still allowed malicious classes from trusted packages to be executed. This oversight left many systems vulnerable to exploitation, especially those that ingest Parquet files from untrusted external sources in automated or large-scale data pipelines.

The issue was discovered and responsibly reported by Researchers as part of ongoing research into serialization vulnerabilities. Notably, this vulnerability is closely related to a previously identified flaw, CVE-2025-30065, which also targeted the parquet-avro module. Both highlight the persistent risks posed by insecure deserialization mechanisms in widely used big data tools. Given the widespread usage of Apache Parquet, this vulnerability poses a significant threat to enterprise-scale data infrastructure.

To mitigate the risk, the Apache Parquet team released version 1.15.2 on May 1, 2025, which fully resolves the vulnerability. Organizations unable to upgrade immediately but using version 1.15.1 are advised to set the system property org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty string to block all serializable packages. Security teams are strongly urged to audit their systems, identify vulnerable configurations, and apply the recommended upgrades or mitigations without delay to prevent possible exploitation.

Impact

• Code Execution

Indicators of Compromise

CVE

• CVE-2025-46762

Affected Vendors

Remediation

• Upgrade to the latest version of Apache Parquet, available from the Apache website.
• This version includes a complete fix that eliminates the vulnerability by enforcing stricter controls on Avro schema deserialization.
• Set the following system property to an empty string to disable all trusted packages.
• Prefer the “generic” model for deserializing Avro data when handling untrusted Parquet files, as it is not affected by this vulnerability.
• Review any systems that read Parquet files from external or untrusted sources and assess their exposure based on Avro model usage and Parquet Java version.