CVE-2025-46762: 
Java vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-46762) has been identified in Apache Parquet Java's parquet-avro module, affecting versions through 1.15.1. The vulnerability allows bad actors to execute arbitrary code through schema parsing when processing Avro schemas embedded in Parquet file metadata. Apache Parquet is a widely used open-source columnar storage format in data-intensive applications and analytics pipelines (Wiz, Security Online).

The vulnerability stems from how Avro schemas are deserialized from metadata stored in Parquet files. The issue specifically affects implementations using the 'specific' or 'reflect' models for schema resolution, while the 'generic' model remains unaffected. Although version 1.15.1 introduced restrictions on untrusted packages, the default list of trusted packages remains permissive enough to allow exploitation. The vulnerability has been assigned a CVSS 4.0 Base Score of 7.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/RE:M/U:Amber (NVD, Wiz).

When successfully exploited, this vulnerability can lead to remote code execution (RCE) in systems that process untrusted or user-supplied Parquet files. The impact is particularly severe for applications that use parquet-avro to read Parquet files while employing the specific or reflective Avro deserialization models (Security Online).

Two mitigation options are available: users should either upgrade to Apache Parquet Java 1.15.2, which includes hardened default settings, or for those on version 1.15.1, explicitly set the system property 'org.apache.parquet.avro.SERIALIZABLE_PACKAGES' to an empty string. Both solutions are confirmed to effectively address the vulnerability (OSS Security, Security Online).