F5 Labs researchers released a PoC tool to find servers vulnerable to the Apache Parquet vulnerability CVE-2025-30065. A working proof-of-concept exploit for the critical Apache Parquet vulnerability CVE-2025-30065 has been released by F5 Labs, allowing the identification of vulnerable servers. The tool, called “canary exploit,” is available on the security firm’s GitHub repository. Apache Parquet’s […] F5 Labs researchers released a PoC tool to find servers vulnerable to the Apache Parquet vulnerability CVE-2025-30065. A working proof-of-concept exploit for the critical Apache Parquet vulnerability CVE-2025-30065 has been released by F5 Labs, allowing the identification of vulnerable servers. The tool, called “canary exploit,” is available on the security firm’s GitHub repository. Apache Parquet’s Java Library is a software library for reading and writing Parquet files in the Java programming language. Parquet is a columnar storage file format that is optimized for use with large-scale data processing frameworks, such as Apache Hadoop, Apache Spark, and Apache Drill. In April 2025, experts disclosed a critical vulnerability, tracked as CVE-2025-30065 (CVSS score of 10.0), impacting Apache Parquet’s Java Library that could allow remote code execution “Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code” reads the advisory. The vulnerability CVE-2025-30065 is a Deserialization of Untrusted Data issue. The flaw affects systems importing Parquet files, especially from untrusted sources, and can be exploited by attackers tampering with the files. Versions 1.15.0 and earlier are vulnerable, with the flaw traced back to version 1.8.0. This impacts big-data frameworks (e.g., Hadoop, Spark, Flink) and custom applications using Parquet. Users should verify their software stack for this issue. “If an attacker tricks a vulnerable system into reading a specially crafted Parquet file, they could gain remote code execution (RCE) on that system .” reads a report published by Endor Labs. “In practice, this might allow them to: Take control of the system: They could run any commands or software, effectively gaining control . Steal or tamper with data: Sensitive information could be accessed, copied, or modified. Install malware: The attacker might deploy ransomware, cryptominers, or other malicious software. Disrupt services: They could shut down services or corrupt data, causing denial of service and business downtime. “All confidentiality, integrity, and availability of the affected system are at risk (in CVSS terms, “High” impact on all three) . Despite the frightening potential, it’s important to note that the vulnerability can only be exploited if a malicious Parquet file is imported.” According to Endor Labs, as of April 2025, there are no known active exploits for this vulnerability. However, with the issue now public, threat actors may attempt to exploit it. The researchers urge users to address the issue immediately. To protect your systems from CVE-2025-30065, upgrade Apache Parquet Java to version 1.15.1 or later. If that’s not possible, avoid or validate Parquet files from untrusted sources and implement input validation. Enable monitoring and logging to detect suspicious behavior, and stay informed on updates from Apache or cybersecurity authorities. Applying these actions will reduce risks and protect your systems. F5 Labs found that while CVE-2025-30065 isn’t a full RCE, it can trigger harmful side effects like network requests from a vulnerable server. The experts still believe that real-world exploitation of the flaw is difficult. “F5 Labs has created a tool that generates a parquet/avro file that will trigger object instantiation of a class that comes with Java (javax.swing.JEditorKit).1 Instantiating javax.swing.JEditorKit with a single String argument has the side effect of treating the String as a URL and making an HTTP GET request.” reads the report published by F5 Labs. “By registering a canary URL and using that as the target URL, our tool allows for easy testing of the vulnerability, as well as assurance it has been fixed by applying patches and proper configuration.” F5 Labs created the tool to help developers and security teams quickly assess if their systems are affected by critical flaws, reducing response time, especially in complex environments with hidden dependencies. “Various exploitation scenarios for this CVE are possible, but all require that a malicious Parquet/Avro file be placed into an environment which will use the Apache Parquet Avro module to parse it. If you use Apache Parquet Java to parse Parquet files that include embedded Avro, then you should investigate patching.” concludes the report. “Nevertheless, this is somewhat of a high bar for attackers. While Parquet and Avro are used widely, this issue requires a specific set of circumstances that isn’t all that likely in general. Even then, this CVE only allows attackers to trigger the instantiation of a Java object which then must have a side effect that is useful for the attacker. As noted above, this also seems somewhat unlikely to us.” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, Apache Parquet)
Published: 2025-05-07T14:08:37