Home > Vulnerability Database > CVE-2025-46762

Mend.io Vulnerability Database

CVE-2025-46762

Good to know:

Date: May 6, 2025

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.

Severity Score

9.8

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-46762

Url: https://github.com/apache/parquet-java

Url: http://www.openwall.com/lists/oss-security/2025/05/02/1

Url: https://issues.apache.org/jira/browse/AVRO-3985

Url: https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp

Url: https://www.mend.io/vulnerability-database/CVE-2025-46762

Severity Score

9.8

Weakness Type (CWE)

External Control of File Name or Path

CWE-73

Top Fix

Upgrade Version

Upgrade to version org.apache.parquet:parquet-avro:1.15.1;org.apache.parquet:parquet-avro:1.15.2;https://github.com/apache/parquet-java.git - apache-parquet-1.15.1

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-46762

Good to know:

Date: May 6, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?