Apache Parquet security advisories

Security information for Apache Parquet

Reporting

Do you want disclose a potential security issue for Apache Parquet? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata

CVE-2025-46762 [CVE] [CVE json] [OSV json]

Last updated: 2025-05-06T09:08:12.043Z

Affected

  • Apache Parquet Java through 1.15.1

Description

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code.

While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed.

The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted)

Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.

References

Credits

  • Andrew Pikler (reporter)
  • David Handermann (reporter)
  • Nándor Kollár (reporter)

Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata

CVE-2025-30065 [CVE] [CVE json] [OSV json]

Last updated: 2025-07-11T10:32:31.431Z

Affected

  • Apache Parquet Java through 1.15.0

Description

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code

Users are recommended to upgrade to version 1.15.1, which fixes the issue.

References

Credits

  • Keyi Li (Amazon) (finder)

Apache Parquet-MR potential DoS in case of malicious Parquet file

CVE-2021-41561 [CVE] [CVE json] [OSV json]

Last updated: 2021-12-20T11:09:26.601Z

Affected

  • Apache Parquet from 1.9.0 before Parquet-MR*

Description

Improper Input Validation vulnerability in Parquet-MR of Apache Parquet allows an attacker to DoS by malicious Parquet files. This issue affects Apache Parquet-MR version 1.9.0 and later versions.

References

Credits

  • This issue was discovered by Sergey Temnikov of the Amazon S3 team.