A flaw in code for handling Parquet, Apache’s open-source columnar data file format, allows attackers to run arbitrary code on vulnerable instances.
The vulnerability, tracked as CVE-2025-30065, is a deserialization issue (CWE-502) in Parquet’s Java library that allows execution of maliciously crafted Parquet files.
“This vulnerability can impact data pipelines and analytics systems that import Parquet files, particularly when those files come from external or untrusted sources,” Endor Labs said in a blog post.
Organizations using Parquet for their big-data and analytics stacks–a popular use case for Parquet’s columnar data storage–must push for immediate patching of this flaw to prevent potential system takeover.
Affects Java implementations of Apache Parquet
Parquet Java library, a reference implementation for working with Parquet files in the Java ecosystem, is affected in versions prior to 1.15.1.
“Our own data indicates that this was introduced in version 1.8.0, however, current guidelines is to review all historic versions,” Endor Labs said.
While the technical details of a potential exploit are yet to come, a specific module, Parquet-avro, within the library was discovered allowing deserialization of untrusted data, enabling execution of codes sent remotely in the form of crafted Parquet files.
Any application or service that uses the Java library, including popular big-data frameworks like Hadoop, Spark, and Flink are susceptible to attacks. The resulting remote code execution (RCE) on victim systems can allow attackers to take control of the systems, tamper with or steal data, install malware, or/and disrupt services, Endor labs added.
No known exploits yet
Neither Endor Labs nor NIST’s NVD entry reported any exploit attempts using CVE-2025-30065 as of publication of this article. Apache silently pushed a fix with the release of 1.15.1 on March 16, 2025, with a GitHub redirect to changes made in the update.
Endor Labs advised prompt patching of the vulnerability, which poses threats to the confidentiality, integrity, and availability of affected systems. It cautioned developers that the absence of reported attacks should not delay action as the issue is now public knowledge.
One mitigating factor for vulnerable organizations is the requirement for user interaction for a successful exploitation. Only a malicious Parquet file imported by the user into their systems can trigger the vulnerability.
But that may not save them for long. Last month, a critical flaw was found in another Java-based service from Apache, Tomcat — and it was exploited within 30 hours of public disclosure.