Critical RCE vulnerability discovered in Apache Parquet

📟 News

Date: 07/04/2025

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out of 10.

Apache Parquet is an open-source, column-oriented data file format initially designed for the Apache Hadoop ecosystem. It’s widely used as the underlying file format in modern cloud-based data lake architectures. Cloud storage systems such as Amazon S3, Azure Data Lake Storage, and Google Cloud Storage commonly store data in Parquet format due to its efficient columnar representation and retrieval capabilities. Major companies using Parquet include Netflix, Uber, Airbnb, and LinkedIn.

The problem pertains to deserialization of untrusted data and enables an attacker to gain full control over a vulnerable system using a specially crafted Parquet file.

In other words, to exploit this bug, an attacker has to trick the victim into importing a malicious Parquet file. If successful, the hacker can steal and modify data, disrupt services, or deploy malicious payloads (e.g. ransomware).

The vulnerability whose identifier is CVE-2025-30065 was discovered by an Amazon specialist and fixed in Apache Parquet 1.15.1.

” Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.15.1, which fixes the issue,” – Openwall.

According to Endor Labs, CVE-2025-30065 can impact data pipelines and analytics systems that import Parquet files, particularly when those files come from external or untrusted sources.

Endor Labs experts believe that the vulnerability was introduced in version 1.8.0, although older versions could be affected as well.

If, for some reason, an immediate upgrade to Apache Parquet 1.15.1 isn’t possible, it’s recommended to avoid any untrusted Parquet files and check them thoroughly prior to processing.

Related posts:
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO

According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →