Apache Parquet Java 反序列化漏洞
漏洞信息
漏洞名称: Apache Parquet Java 反序列化漏洞
漏洞编号:
- CVE: CVE-2025-30065
漏洞类型: 反序列化
漏洞等级: 严重
漏洞描述: ### 受影响产品
Apache Parquet是一个列式存储文件格式,广泛应用于大数据处理框架如Hadoop、Spark等中,用于高效地存储和处理大规模数据集。parquet-avro库是Apache Parquet的一个组件,支持Avro数据模型的序列化和反序列化。由于其在大数据生态系统中的广泛使用,该漏洞的影响范围较大。
漏洞解释
此漏洞属于反序列化类型,技术根源在于parquet-avro库在处理Parquet文件时,未能正确验证嵌入的Avro schema。攻击者可以构造一个恶意的Parquet文件,其中包含特制的Avro schema,利用默认值触发任意Java类的实例化。在特定条件下,这可能导致远程代码执行(RCE)。漏洞的利用需要满足以下条件:应用程序使用parquet-avro库、处理包含嵌入Avro schema的Parquet文件、目标Java类存在于应用程序的类路径上,且没有设置防护措施(如允许列表或类限制)。
影响分析
此漏洞的安全风险极高,CVSS评分为10.0(严重)。攻击者通过构造恶意文件,可以在受害者系统上执行任意代码,可能导致数据泄露、服务中断或进一步的网络入侵。由于漏洞利用不需要认证,且可以自动化执行,因此在公开PoC存在的情况下,被滥用的风险极大。建议用户立即升级到Apache Parquet Java 1.15.1或更高版本,并实施额外的防护措施,如启用类允许列表和限制不可信Parquet文件的处理。
产品厂商: Apache
产品名称: parquet-avro
影响版本: version < 1.15.1
来源: https://github.com/B1ack4sh/Blackash-CVE-2025-30065
类型: CVE-2025:github search
仓库文件
- README.md
来源概述
CVE-2025-30065 ==> Dangerous Deserialization in Parquet-Avro 🔥
⚠️ What’s the Risk?
- Severity: 10.0 (Critical ☠️) on CVSS.
- What it allows: An attacker can craft a malicious Parquet file that embeds a custom Avro schema designed to trigger the instantiation of arbitrary Java classes.
- Result: Under certain conditions, this can lead to remote code execution.
🔍 How is it exploited?
To exploit this vulnerability, the following conditions must be met:
- Your application uses the
parquet-avrolibrary. - It processes a Parquet file with an embedded Avro schema.
- The attacker’s target Java class exists on the application classpath.
- There are no safeguards (e.g., allow-lists or class restrictions).
Example: A malicious file might trigger javax.swing.JEditorPane, which performs HTTP requests—potentially giving the attacker network access or triggering side effects.
📂 Structure !
ParquetExploitGenerator.java– Generates a malicious Parquet file using a crafted Avro schema with default values that directly triggers instantiation of a standard Java class(javax.swing.JEditorPane).PayloadRecord.java– Payload class with a static initializer (legacy PoC component, now overwritten by the new logic).ParquetVictim.java– Simulated victim application that reads the Parquet file and deserializes the Avro schema, triggering the payload under the right conditions.
🏗️ Build & Run !
Use CVE-2025-30065.sh (included) to automate compilation, dependency resolution via Maven, and execution of the full chain.
Requirements:
- Java 8+
- Maven
1 | |
🛠️ How to Protect Yourself
✅ Immediate Action: Update
Upgrade Apache Parquet Java to version 1.15.1 or newer.
If you use packaged solutions like:
- Cloudera: Upgrade to Data Warehouse 1.10.1-b703 or later.
- IBM Db2: Apply fix packs such as 11.1.4 FP7, 11.5.9, or 12.1.1.
🔒 Additional Mitigations
Enable class allow-lists:
- Use
org.apache.parquet.avro.SERIALIZABLE_PACKAGESand set it to only trusted packages (avoid*). - Use
org.apache.avro.TRUSTED_PACKAGESto restrict Avro schema behavior.
- Use
Block or scan Parquet files from untrusted sources.
Test your pipeline using PoC tools (like the F5 Canary exploit).
❗ Is it being exploited in the wild?
- No confirmed active exploitation yet, but public PoCs exist, making it likely to be abused soon.
✅ Quick Security Checklist
| Task | Status |
|---|---|
| Upgrade Apache Parquet to ≥ 1.15.1 | ✅ |
| Review Cloudera/Db2 or similar dependencies | ✅ |
| Restrict allowed Java packages | ✅ |
| Avoid ingesting untrusted Parquet files | ✅ |
| Run PoC or canary exploit tests | ✅ |
| Monitor system/network for anomalies | ✅ |
🔒 Disclaimer
This content is provided for educational and informational purposes only. The aim is to raise awareness about the security vulnerability CVE-2025-30065 in Apache Parquet and promote safe practices in software development and deployment.
No part of this information is intended to encourage or support malicious activity, unauthorized access, or exploitation of systems.
Always ensure that you are authorized to test any system, and follow responsible disclosure and legal boundaries.
The author(s) are not responsible for any misuse of the information presented.