CVE-2023-47248
📋 TL;DR
This vulnerability allows arbitrary code execution when PyArrow processes untrusted Arrow IPC, Feather, or Parquet files. Applications that read these file formats from user-supplied sources are affected. Only PyArrow implementations are vulnerable, not other Apache Arrow bindings.
💻 Affected Systems
- PyArrow
📦 What is this software?
Pyarrow by Apache
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full control of the system by uploading a malicious file that triggers deserialization exploit.
Likely Case
Attackers execute arbitrary code on servers processing user-uploaded data files, potentially leading to data theft, system compromise, or lateral movement.
If Mitigated
If input validation and file source restrictions are in place, impact is limited to denial of service or data corruption.
🎯 Exploit Status
Exploitation requires only file upload/processing capability. CVSS 9.8 indicates critical severity with easy exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.0.1
Vendor Advisory: https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
Restart Required: No
Instructions:
1. Upgrade PyArrow to version 14.0.1 or later using pip: pip install --upgrade pyarrow==14.0.1
2. Update downstream library dependencies to require pyarrow>=14.0.1
3. Test application functionality after upgrade.
🔧 Temporary Workarounds
Install pyarrow-hotfix package
allDisables the vulnerability on older PyArrow versions without upgrading
pip install pyarrow-hotfix
🧯 If You Can't Patch
- Restrict file processing to trusted sources only - implement strict input validation and source whitelisting
- Implement file type verification and reject Arrow IPC, Feather, and Parquet files from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check PyArrow version and if application processes Arrow IPC, Feather, or Parquet files from untrusted sourcesCheck Version:
python -c "import pyarrow; print(pyarrow.__version__)"Verify Fix Applied:
Verify PyArrow version is 14.0.1 or later, or pyarrow-hotfix is installed📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution after file processing
- Errors in PyArrow deserialization logs
- Unusual file upload patterns
Network Indicators:
- Large or malformed file uploads to PyArrow processing endpoints
SIEM Query:
process.name:python AND process.args:*pyarrow* AND event.action:exec🔗 References
- https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf
- https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/
- https://pypi.org/project/pyarrow-hotfix/
- https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf
- https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL/
- https://pypi.org/project/pyarrow-hotfix/
