A newly discovered vulnerability in the Parquet-avro module poses significant risks to applications using Java libraries, particularly big-data frameworks such as Hadoop, Spark, and Flink. This flaw enables the deserialization of untrusted data, allowing remote code execution (RCE) on target systems. Attackers could exploit this vulnerability to take control of systems, manipulate or steal data, and disrupt services. As of now, there have been no reported exploits, and a fix was silently introduced in version 1.15.1 of the library, released on March 16, 2025.
The Parquet-avro module in a popular library allows deserialization of untrusted data, posing a significant threat to Java applications by enabling remote code execution.
Applications using Hadoop, Spark, and Flink could be exploited via crafted Parquet files, which would allow attackers to gain control over affected systems.
Collection
[
|
...
]