Apache Parquet CVE-2025-30065
Cloudera released a hotfix for Cloudera Data Services on premises 1.5.4 SP2 and newer to address a critical vulnerability in the parquet-avro module of Apache Parquet.
Background:
On April 1, 2025, a critical vulnerability in the parquet-avro module of Apache Parquet (CVE-2025-30065, CVSS score 10.0) was announced.
Cloudera has determined the list of affected products, and is issuing this TSB to provide details of remediation for affected versions.
Upgraded versions are being released for all currently affected supported releases of Cloudera products. Customers using older versions are advised to upgrade to a supported release that has the remediation, once it becomes available.
Vulnerability Details:
Exploiting this vulnerability is only possible by modifying the accepted schema used for translating Parquet files and subsequently submitting a specifically crafted malicious file.
CVE-2025-30065 | Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code.
Severity (Critical):
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Impact:
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. Attackers may be able to modify unexpected objects or data that was assumed to be safe from modification. Deserialized data or code could be modified without using the provided accessor functions, or unexpected functions could be invoked.
Deserialization vulnerabilities most commonly lead to undefined behavior, such as memory modification or remote code execution.
Addressed in release:
- Cloudera Data Services on premises (formerly Private Cloud Data Services)
- 1.5.4 SP2 Hotfix
