Apache Avro security advisories

Security information for Apache Avro

Reporting

Do you want disclose a potential security issue for Apache Avro? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Code injection on Java generated code

CVE-2025-33042 [CVE] [CVE json] [OSV json]

Last updated: 2026-02-13T11:47:01.866Z

Affected

  • Apache Avro Java SDK through 1.11.4
  • Apache Avro Java SDK at 1.12.0

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

References

Credits

  • Brant Eckert (finder)

Arbitrary Code Execution when reading Avro schema (Java SDK)

CVE-2024-47561 [CVE] [CVE json] [OSV json]

Last updated: 2024-10-21T08:50:48.382Z

Affected

  • Apache Avro Java SDK before 1.11.4

Description

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.
Users are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.

References

Credits

  • Kostya Kortchinsky, from the Databricks Security Team (finder)

Memory when deserializing untrusted data in Avro Java SDK

CVE-2023-39410 [CVE] [CVE json]

Last updated: 2025-02-06T14:33:53.747Z

Affected

  • Apache Avro Java SDK before 1.11.3

Description

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

References

Credits

  • Adam Korczynski at ADA Logics Ltd (finder)

Integer overflow when reading corrupted .avro file in Avro Rust SDK

CVE-2022-36125 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-09T06:44:50.447Z

Affected

  • Apache Avro from unspecified before 0.14.0

Description

It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

References

Credits

  • This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure and found with Mayhem.

Memory overconsumption in Avro Rust SDK

CVE-2022-36124 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-09T06:46:06.388Z

Affected

  • Apache Avro from unspecified before 0.14.0

Description

It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

References

Credits

  • This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure and found with Mayhem.

Denial of service while reading data in Avro Rust SDK

CVE-2022-35724 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-09T06:43:41.354Z

Affected

  • Apache Avro from unspecified before 0.14.0

Description

It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

References

Credits

  • This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure and found with Mayhem.

Possible DOS vulnerabilities in C# Avro SDK

CVE-2021-43045 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-06T17:58:30.429Z

Affected

  • Apache Avro from Apache Avro through 1.10.2

Description

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.

References

Credits

  • Apache Avro would like to thank Philip Sanetra for reporting this issue.