Apache Parquet security advisories
Security information for Apache Parquet
Reporting
Do you want disclose a potential security issue for Apache Parquet? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata
CVE-2025-46762 [CVE] [CVE json] [OSV json]
Last updated: 2025-05-06T09:08:12.043Z
Affected
- Apache Parquet Java through 1.15.1
Description
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code.
While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed.
The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted)
Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.
References
Credits
- Andrew Pikler (reporter)
- David Handermann (reporter)
- Nándor Kollár (reporter)
Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata
CVE-2025-30065 [CVE] [CVE json] [OSV json]
Last updated: 2025-07-11T10:32:31.431Z
Affected
- Apache Parquet Java through 1.15.0
Description
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
References
Credits
- Keyi Li (Amazon) (finder)
Apache Parquet-MR potential DoS in case of malicious Parquet file
CVE-2021-41561 [CVE] [CVE json] [OSV json]
Last updated: 2021-12-20T11:09:26.601Z
Affected
- Apache Parquet from 1.9.0 before Parquet-MR*
Description
Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.
References
Credits
- This issue was discovered by Sergey Temnikov of the Amazon S3 team.