Whereas the technical particulars of a possible exploit are but to return, a selected module, Parquet-avro, throughout the library was found permitting deserialization of untrusted knowledge, enabling execution of codes despatched remotely within the type of crafted Parquet information.
Any software or service that makes use of the Java library, together with in style big-data frameworks like Hadoop, Spark, and Flink are inclined to assaults. The ensuing distant code execution (RCE) on sufferer programs can permit attackers to take management of the programs, tamper with or steal knowledge, set up malware, or/and disrupt providers, Endor labs added.
No recognized exploits but
Neither Endor Labs nor NIST’s NVD entry reported any exploit makes an attempt utilizing CVE-2025-30065 as of publication of this text. Apache silently pushed a repair with the discharge of 1.15.1 on March 16, 2025, with a GitHub redirect to adjustments made within the replace.
