CVE-2025-46762 – This vulnerability in Apache Parquet's parquet-... (How to Fix)

Q: What is the severity of CVE-2025-46762?

CVE-2025-46762 has a CVSS score of 8.1 (HIGH). This vulnerability in Apache Parquet's parquet-avro module allows attackers to execute arbitrary code by exploiting schema parsing when reading malicious Parquet files. It affects systems using Apache Parquet 1.15.0 and earlier, specifically when using the 'specific' or 'reflect' data models for reading files. The 'generic' model is not vulnerable.

📋 TL;DR

This vulnerability in Apache Parquet's parquet-avro module allows attackers to execute arbitrary code by exploiting schema parsing when reading malicious Parquet files. It affects systems using Apache Parquet 1.15.0 and earlier, specifically when using the 'specific' or 'reflect' data models for reading files. The 'generic' model is not vulnerable.

💻 Affected Systems

Products:

Apache Parquet

Versions: 1.15.0 and earlier versions

Operating Systems: All operating systems running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using 'specific' or 'reflect' data models for reading Parquet files. The 'generic' model is safe. The default trusted packages setting in 1.15.1 still allows exploitation.

📦 What is this software?

Parquet by Apache

View all CVEs affecting Parquet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Data theft or system manipulation through code execution when processing untrusted Parquet files, particularly in data pipeline environments.

🟢

If Mitigated

No impact if proper controls are implemented, such as upgrading to patched versions or applying recommended configuration changes.

🌐 Internet-Facing: MEDIUM - Exploitation requires processing malicious Parquet files, which could be uploaded to web services or data processing pipelines exposed to external users.

🏢 Internal Only: MEDIUM - Internal data processing systems that handle untrusted Parquet files from various sources remain vulnerable to exploitation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires attackers to craft malicious Parquet files that get processed by vulnerable systems. No authentication is needed if the system processes external files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.2

Vendor Advisory: https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp

Restart Required: Yes

Instructions:

1. Upgrade Apache Parquet to version 1.15.2 or later. 2. Restart all applications using the parquet-avro module. 3. Verify the new version is in use.

🔧 Temporary Workarounds

Set SERIALIZABLE_PACKAGES to empty string

all

Configure the system property to restrict untrusted packages from being deserialized

-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=""

🧯 If You Can't Patch

Avoid using 'specific' or 'reflect' data models for reading untrusted Parquet files
Implement strict input validation and sandboxing for Parquet file processing

🔍 How to Verify

Check if Vulnerable:

Check if Apache Parquet version is 1.15.0 or earlier and if applications use 'specific' or 'reflect' models for reading Parquet files

Check Version:

Check application dependencies or build configuration for Apache Parquet version

Verify Fix Applied:

Verify Apache Parquet version is 1.15.2 or later, or confirm SERIALIZABLE_PACKAGES system property is set to empty string

📡 Detection & Monitoring

Log Indicators:

Unexpected Java class loading errors
Stack traces involving parquet-avro schema parsing
Unusual process execution from Java applications

Network Indicators:

Unexpected outbound connections from data processing systems
Large data transfers following Parquet file processing

SIEM Query:

Search for Java exceptions containing 'parquet.avro' or 'ClassNotFoundException' in application logs following Parquet file processing

📊 Metadata

CVE ID: CVE-2025-46762

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-73

EPSS Score: 0.14% exploit probability (34.5th percentile)

Published: May 6, 2025

Last Updated: September 2, 2025

🔗 References

https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp Mailing List
http://www.openwall.com/lists/oss-security/2025/05/02/1 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46762, you might also want to check these: