Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code
A maximum severity security vulnerability has been disclosed in Apache Parquet's Java Library that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances.
Apache Parquet is a free and open-source columnar data file format that's designed for efficient data processing and retrieval, providing support for complex data, high-performance compression, and encoding schemes. It was first launched in 2013.
The vulnerability in question is tracked as CVE-2025-30065. It carries a CVSS score of 10.0.
"Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory.
According to Endor Labs, successful exploitation of the flaw requires tricking a vulnerable system into reading a specially crafted Parquet file to obtain code execution.
"This vulnerability can impact data pipelines and analytics systems that import Parquet files, particularly when those files come from external or untrusted sources," the company said. "If attackers can tamper with the files, the vulnerability may be triggered."
The shortcoming impacts all versions of the software up to and including 1.15.0. It has been addressed in version 1.15.1. Keyi Li of Amazon has been credited with discovering and reporting the flaw.
While there is no evidence that the flaw has been exploited in the wild, vulnerabilities in Apache projects have become a lightning rod for threat actors looking to opportunistically breach systems and deploy malware.
Last month, a critical security flaw in Apache Tomcat (CVE-2025-24813, CVSS score: 9.8) came under active exploitation within 30 hours of public disclosure.
Cloud security firm Aqua, in an analysis published this week, said it discovered a new attack campaign that targets Apache Tomcat servers with easy-to-guess credentials to deploy encrypted payloads that are designed to steal SSH credentials for lateral movement and ultimately hijack the system resources for illicit cryptocurrency mining.
The payloads are also capable of establishing persistence and acting as a Java-based web shell that "enables the attacker to execute arbitrary Java code on the server," Assaf Morag, director of threat intelligence at Aqua, said.
"In addition, the script is designed to check if the user has root privileges and if so it executes two functions that optimize CPU consumption for better cryptomining results."
The campaign, which affects both Windows and Linux systems, is likely assessed to be the work of a Chinese-speaking threat actor owing to the presence of Chinese language comments in the source code.
CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalStorable and Cacheable Content
HighLDAP Injection
Free online web security scanner
