Technology

Apache Parquet users warned of maximum risk security flaw, told to patch now

April 4, 2025

Researchers claim Apache Parquet was carrying a maximum-severity flaw
It allows threat actors to run arbitrary code
A patch was released, and users are urged to apply it

Apache Parquet, a columnar storage file format, was carrying a maximum-severity vulnerability that allowed threat actors to run arbitrary code on affected endpoints.

Parquet is a columnar storage file format optimized for efficient data storage and processing, commonly used in big data and analytics workloads, with Amazon, Google, Microsoft, and Meta just some of the large companies which use it.

The bug, spotted on April 1, 2025, by Amazon security researcher Key Li, is now tracked as CVE-2025-30065, and has a maximum severity score – 10/10 (critical).

Patch and mitigations

“Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code,” a short description on the NVD page reads. “Users are recommended to upgrade to version 1.15.1, which fixes the issue.”

The problem reportedly stems from the deserialization of untrusted data, that allows threat actors to gain control of target systems via specially crafted Parquet files.

he caveat here is that the victim needs to be tricked into importing the files which, the researchers suggest, means that the threat is not as imminent, despite the 10/10 score.

Those that are unable to upgrade their Apache Parquet instances to version 1.15.1 straight away are advised to avoid untrusted Parquet files, or at least to carefully analyze them before taking action.

Furthermore, IT teams should monitor and log their Parquet processing systems more closely these days.

At press time, there was no evidence of abuse in the wild, although hackers usually start scanning for vulnerable endpoints once a patch is released, betting that many organizations don’t apply it on time.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar