A maximum severity vulnerability (CVSS 10.0) has been discovered in Apache Parquet, a columnar storage format used extensively in big data platforms like Spark, Hadoop, AWS EMR, and data lakes across Netflix, Uber, LinkedIn, and more.
- Vulnerability ID: CVE-2025-30065
- Impact: Remote Code Execution (RCE)
- Affected Versions: Up to and including 1.15.0
- Fix: Upgrade to 1.15.1
The Flaw
The issue stems from schema parsing in the parquet-avro module, where deserialization of untrusted data allows attackers to craft malicious Parquet files and execute arbitrary code on vulnerable systems — with no authentication, privileges, or user interaction required.
Exploit Conditions
The attacker must trick the system into processing a malicious file, typically by uploading or importing it into a data pipeline.
Real-World Risk
Apache Parquet powers analytics pipelines and machine learning workflows across cloud-native stacks. A successful exploit could:
- Lead to RCE on critical data infrastructure
- Exfiltrate or tamper with sensitive data
- Introduce payloads like ransomware
- Disrupt cloud workloads
No active exploitation has been observed yet. But Apache vulnerabilities have historically been targeted within hours of public disclosure.
What We Recommend:
- Patch ASAP: Upgrade to Parquet v1.15.1
- Harden inputs: Only process Parquet files from trusted sources
- Log & monitor systems handling Parquet ingestion
- If you can’t upgrade immediately: quarantine all unverified Parquet data
