CVE-2025-30065 Apache Parquet vulnerability

Remediation for affected versions

Cloudera Data Warehouse version 1.10.1-b703 contains the required fixes for this vulnerability.

Vulnerability details

Exploiting this vulnerability is only possible by modifying the accepted schema used for translating Parquet files and subsequently submitting a specifically crafted malicious file.

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. Attackers may be able to modify unexpected objects or data that was assumed to be safe from modification. Deserialized data or code could be modified without using the provided accessor functions, or unexpected functions could be invoked.

Deserialization vulnerabilities most commonly lead to undefined behavior, such as memory modification or remote code execution.

Releases affected:

Cloudera Data Warehouse on cloud

Supported versions affected:

• 1.9.6-b2
• 1.9.5-b10
• 1.9.4-b147
• 1.9.3-b166
• 1.9.2-b657 (Runtime: 2024.0.18.2-4)
• 1.9.2-b657 (Runtime: 2024.0.18.1-1)

Action required - Mitigation for affected Cloudera products:

Until the upgrade with Apache Parquet 1.15.1 or higher is available:

1. Utilize a File Integrity Monitoring (FIM) solution. This allows administrators to monitor files at the filesystem level and receive alerts on any unexpected or suspicious activity in the schema configuration.
2. Monitor network activity for any transmission of Parquet files, and alert on any unexpected activity.
3. Be cautious with Parquet files from unknown or untrusted sources. If possible, do not process files with uncertain origin or that came from outside the organization.
4. Ensure that only authorized users have access to endpoints that ingest Parquet files.

Knowledge articles

For the latest update on this issue see the corresponding Knowledge articles:

• TSB 2025-845: Critical Apache Parquet vulnerability CVE-2025-30065