Critical gap closed with maximum rating in Apache Parquet

A malicious code vulnerability affects Apache Parquet. The column-based open source file format is used in the big data context to store and retrieve data more efficiently. A security patch is available for download.

Critical vulnerability

According to an entry in the Openwall mailing list, the developers have closed the vulnerability in version 1.15.1. All previous versions are vulnerable. The vulnerability (CVE-2025-30065) is considered"critical" and is classified with the highest possible CVSS score of 10 out of 10. It specifically affects the parquet-avro module of the Apache Parquet Java library.

As security researchers from Endor Labs explain in a report, attackers can use crafted files to exploit the vulnerability. Due to insufficient checks, these are processed and malicious code gets onto systems. Attackers can then install malware and completely compromise computers.

Install the security update now

The researchers assume that all applications that use Apache Parquet are vulnerable. This therefore also affects systems that process Parquet files in the context of big data frameworks such as Hadoop or Spark. Admins should definitely check whether they are using Apache Parquet at any point.

According to the researchers, there are no indications of attacks to date. However, due to the critical classification of the vulnerability, admins should install the security update as soon as possible. If this is not possible immediately, the processing of Parquet files should be strictly monitored. As a result, complete monitoring and logging should take place.

(des)