Main Vulnerability Database Vulnerabilities #VU108164

#VU108164 Protection Mechanism Failure in Apache Parquet Java - CVE-2025-46762

Published: May 2, 2025

Vulnerability identifier: #VU108164

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-46762

CWE-ID: CWE-693

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Parquet Java

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when parsing Avro schema from a Parquet file metadata. A remote attacker can trick the victim into installing a malicious package and execute arbitrary code on the system.

Note, the default setting of trusted packages still allows malicious classes from these packages to be executed.

Remediation

Install updates from vendor's website.

External links

https://lists.apache.org/thread/hcn0kd1wrm28r130oz0dkhcl6m4wqdtb

#VU108164 Protection Mechanism Failure in Apache Parquet Java - CVE-2025-46762

Description

Remediation

External links

Please verify you're human