A critical vulnerability in the Apache Parquet Java library could be exploited to completely compromise any system or application that reads Parquet files.
An open source, column-oriented data file format, Apache Parquet enables efficient data storage and retrieval, and supports the handling of complex data in bulk. It is used by multiple analytics tools and programming languages.
The critical bug, tracked as CVE-2025-30065, carries a maximum severity rating of 10/10 and is described as a deserialization of untrusted data issue affecting the library’s parquet-avro module.
The flaw was likely introduced in version 1.8.0 of the library and was addressed with the release of Parquet version 1.15.1. However, users are advised to review all historic iterations of the library.
“This vulnerability can impact data pipelines and analytics systems that import Parquet files, particularly when those files come from external or untrusted sources. If attackers can tamper with the files, the vulnerability may be triggered,” application security firm Endor Labs notes.
The security defect is triggered when a system reads a crafted Parquet file, resulting in remote code execution (RCE).
By exploiting the vulnerability, attackers could take control of vulnerable systems, steal or modify sensitive information, deploy ransomware and other types of malware, or shut down services, causing denial-of-service (DoS) conditions.
According to Endor Labs, all systems that read or import Parquet files through big-data frameworks such as Hadoop or Spark, as well as applications that incorporate the Parquet Java code are vulnerable.
“If you are unsure whether your software stack uses Parquet, check with your vendors or developers – many data analytics and storage solutions include this library,” Endor Labs notes.
The application security firm notes that there is no evidence that CVE-2025-30065 has been exploited in the wild, but its severity suggests that attackers could soon add it to their arsenals.
In addition to updating to Parquet version 1.15.1, users are advised to be wary of Parquet files from unknown or untrusted sources and consider preventing their processing entirely. They should also implement efficient monitoring and logging capabilities to identify any suspicious behavior.
“Watch for any further advisories from Apache or cybersecurity authorities. This vulnerability is evolving, and additional guidance or patches might emerge. Applying all recommended software updates (not just for Parquet) and following secure configuration practices will strengthen your defense,” Endor Labs notes.
Related: Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy
Related: Critical Next.js Vulnerability in Hacker Crosshairs
Related: Critical AMI BMC Vulnerability Exposes Servers to Disruption, Takeover
