- Researchers claim Apache Parquet was carrying a maximum-severity flaw
- It allows threat actors to run arbitrary code
- A patch was released, and users are urged to apply it
Apache Parquet, a columnar storage file format, was carrying a maximum-severity vulnerability that allowed threat actors to run arbitrary code on affected endpoints.
Parquet is a columnar storage file format optimized for efficient data storage and processing, commonly used in big data and analytics workloads, with Amazon, Google, Microsoft, and Meta just some of the large companies which use it.
The bug, spotted on April 1, 2025, by Amazon security researcher Key Li, is now tracked as CVE-2025-30065, and has a maximum severity score – 10/10 (critical).
Patch and mitigations
“Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code,” a short description on the NVD page reads. “Users are recommended to upgrade to version 1.15.1, which fixes the issue.”
The problem reportedly stems from the deserialization of untrusted data, that allows threat actors to gain control of target systems via specially crafted Parquet files.
he caveat here is that the victim needs to be tricked into importing the files which, the researchers suggest, means that the threat is not as imminent, despite the 10/10 score.
Those that are unable to upgrade their Apache Parquet instances to version 1.15.1 straight away are advised to avoid untrusted Parquet files, or at least to carefully analyze them before taking action.
Furthermore, IT teams should monitor and log their Parquet processing systems more closely these days.
At press time, there was no evidence of abuse in the wild, although hackers usually start scanning for vulnerable endpoints once a patch is released, betting that many organizations don’t apply it on time.
Via BleepingComputer
Leave a comment