Max severity RCE flaw discovered in widely used Apache Parquet

Summary

A maximum severity remote code execution (RCE) vulnerability has been discovered impacting all versions of Apache Parquet up to and including 1.15.0. The problem stems from the deserialization of untrusted data that could allow attackers with specially crafted Parquet files to gain control of target systems, exfiltrate or modify data, disrupt services, or introduce dangerous payloads such as ransomware. The vulnerability is tracked under CVE-2025-30065 and has a CVSS v4 score of 10.0. The flaw was fixed with the release of Apache version 1.15.1. It should be noted that to exploit this flaw, threat actors must convince someone to import a specially crafted Parquet file. Severe threat to "big data" environments Apache Parquet is an open-source, columnar storage format designed for efficient data processing. Unlike row-based formats (like CSV), Parquet stores data by columns, which makes it faster and more space-efficient for analytical workloads. It is widely adopted across the data engineering and analytics ecosystem, including big data platforms like Hadoop, AWS, Amazon, Google, and Azure cloud services, data lakes, and ETL tools. Some large companies that use Parquet include Netflix, Uber, Airbnb, and LinkedIn. The security problem in Parquet was disclosed on April 1, 2025, following a responsible disclosure by its finder, Amazon researcher Keyi Li. "Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code," warned the short bulletin published on Openwall. "Users are recommended to upgrade to version 1.15.1, which fixes the issue." A separate bulletin by Endor Labs highlights the risk of CVE-2025-30065 exploitation more clearly, warning that the flaw can impact any data pipelines and analytics systems that import Parquet files, with the risk being significant for files sourced from external points. Endor Labs believes the problem was introduced in Parquet version 1.8.0, though older release...