A serious security vulnerability has been identified in the Java Library of Apache Parquet. Successfully exploiting this flaw could enable a remote attacker to execute arbitrary code on vulnerable systems.
Apache Parquet is an open-source columnar data storage format optimized for high-performance data processing and retrieval. It supports sophisticated data types along with effective compression and encoding techniques, having first been introduced in 2013.
This specific vulnerability, cataloged as CVE-2025-30065, carries a critical CVSS score of 10.0, reflecting its potential impact.
Project maintainers have indicated that “schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and earlier versions allows malicious actors to execute arbitrary code.” To exploit this vulnerability, an attacker would need to convince a vulnerable system to process a specially crafted Parquet file, as noted by Endor Labs.
The implications of this vulnerability are substantial for data pipelines and analytics systems that rely on importing Parquet files, particularly when those files originate from untrusted sources. “If attackers can alter these files, triggering the vulnerability becomes a distinct possibility,” the company reported.
This shortcoming affects all versions of Apache Parquet up to and including 1.15.0. It has been rectified in version 1.15.1, with the flaw attributed to the findings of Keyi Li from Amazon.
While no active exploitation of this flaw has been reported, Apache projects remain prime targets for threat actors seeking to exploit vulnerabilities to compromise systems and deploy malicious software. Just last month, a critical security flaw in Apache Tomcat (CVE-2025-24813, CVSS score: 9.8) was actively exploited within 30 hours of its public disclosure.
Aqua, a cloud security firm, recently uncovered a new campaign targeting Apache Tomcat servers, where attackers use easily guessable credentials to deploy encrypted payloads designed to steal SSH credentials for lateral movement and hijack system resources for cryptocurrency mining.
These payloads are also capable of establishing persistence, functioning as a Java-based web shell that enables the execution of arbitrary Java code on the server, as outlined by Assaf Morag, director of threat intelligence at Aqua. Furthermore, the malicious script checks for root privileges and optimizes CPU consumption to enhance cryptomining outcomes.
This campaign, affecting both Windows and Linux systems, is presumed to be linked to a Chinese-speaking threat actor due to the presence of Chinese comments in the source code.
