A most severity security vulnerability has been disclosed in Apache Parquet’s Java Library that, if efficiently exploited, may enable a distant attacker to execute arbitrary code on prone cases.
Apache Parquet is a free and open-source columnar information file format that is designed for environment friendly information processing and retrieval, offering help for advanced information, high-performance compression, and encoding schemes. It was first launched in 2013.
The vulnerability in query is tracked as CVE-2025-30065. It carries a CVSS rating of 10.0.
“Schema parsing within the parquet-avro module of Apache Parquet 1.15.0 and former variations permits dangerous actors to execute arbitrary code,” the venture maintainers stated in an advisory.
Based on Endor Labs, profitable exploitation of the flaw requires tricking a weak system into studying a specifically crafted Parquet file to acquire code execution.
“This vulnerability can impression information pipelines and analytics methods that import Parquet recordsdata, significantly when these recordsdata come from exterior or untrusted sources,” the corporate stated. “If attackers can tamper with the recordsdata, the vulnerability could also be triggered.”
The shortcoming impacts all variations of the software program as much as and together with 1.15.0. It has been addressed in model 1.15.1. Keyi Li of Amazon has been credited with discovering and reporting the flaw.
Whereas there isn’t a proof that the flaw has been exploited within the wild, vulnerabilities in Apache initiatives have develop into a lightning rod for risk actors trying to opportunistically breach methods and deploy malware.
Final month, a crucial security flaw in Apache Tomcat (CVE-2025-24813, CVSS rating: 9.8) got here beneath lively exploitation inside 30 hours of public disclosure.
Cloud security agency Aqua, in an evaluation printed this week, stated it found a brand new assault marketing campaign that targets Apache Tomcat servers with easy-to-guess credentials to deploy encrypted payloads which might be designed to steal SSH credentials for lateral motion and finally hijack the system sources for illicit cryptocurrency mining.
The payloads are additionally able to establishing persistence and performing as a Java-based net shell that “permits the attacker to execute arbitrary Java code on the server,” Assaf Morag, director of risk intelligence at Aqua, stated.
“As well as, the script is designed to test if the consumer has root privileges and if that’s the case it executes two capabilities that optimize CPU consumption for higher cryptomining outcomes.”
The marketing campaign, which impacts each Home windows and Linux methods, is probably going assessed to be the work of a Chinese language-speaking risk actor owing to the presence of Chinese language language feedback within the supply code.
