CVE-2025-30065: 
Java vulnerability analysis and mitigation

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-30065, was discovered in Apache Parquet's Java implementation. The vulnerability affects the parquet-avro module of Apache Parquet versions 1.15.0 and earlier, allowing attackers to execute arbitrary code through schema parsing. The flaw was discovered by Keyi Li from Amazon and disclosed on April 1, 2025 (Apache Security, Bleeping Computer).

The vulnerability stems from unsafe deserialization of untrusted data in the parquet-avro module, specifically related to schema parsing functionality. It has been assigned the highest possible CVSS v4.0 score of 10.0 CRITICAL with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. The flaw is classified as CWE-502 (Deserialization of Untrusted Data) and was introduced in version 1.8.0, though all versions up to 1.15.0 are considered vulnerable (Endor Labs, NVD).

The vulnerability can impact data pipelines and analytics systems that import Parquet files, particularly when those files come from external or untrusted sources. This affects systems using popular big-data frameworks such as Hadoop, Spark, and Flink, as well as custom applications incorporating the Parquet Java code. If attackers can tamper with the files, they could potentially execute arbitrary code on the affected systems (Microsoft Security).

Users are strongly recommended to upgrade to Apache Parquet version 1.15.1, which includes a fix for this vulnerability. The fix involves implementing restrictions on trusted packages in the parquet-avro module. For organizations unable to update immediately, it is recommended to avoid processing Parquet files from untrusted sources and implement careful validation of files before processing (Bleeping Computer, GitHub PR).