Full Report
A proof-of-concept exploit tool has been publicly released for a maximum severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it easy to find vulnerable servers. [...]
Analysis Summary
# Vulnerability: Apache Parquet Avro Deserialization Issue (CVE-2025-30065)
## CVE Details
- CVE ID: CVE-2025-30065
- CVSS Score: Not explicitly provided, but described as a "critical flaw" initially, subsequently downgraded by F5 Labs ("practical exploitation is difficult").
- CWE: Deserialization of Untrusted Data (Inferred from description)
## Affected Systems
- Products: Apache Parquet Java (specifically the `parquet-avro` module)
- Versions: Prior to Apache Parquet version 15.1.1
- Configurations: Systems that import Parquet files containing embedded Avro data from external/unverified sources where deserialization occurs.
## Vulnerability Description
CVE-2025-30065 is a deserialization flaw within the `parquet-avro` module of Apache Parquet Java. The vulnerability arises because the library fails to restrict which Java classes can be instantiated when reading Avro data embedded within Parquet files. This allows an attacker to trigger the instantiation of Java objects that may have side effects, such as initiating outbound network requests, upon deserialization of a malicious Parquet file.
## Exploitation
- Status: PoC available (F5 Labs created a "canary exploit" tool)
- Complexity: Low (to trigger object instantiation); High (to achieve useful, reliable exploitation beyond side-effects)
- Attack Vector: Adjacent / Network (via processed file input)
## Impact
- Confidentiality: Potential (If the instantiated class leaks data via network request)
- Integrity: Potential (If the instantiated class modifies data)
- Availability: Potential (A Denial of Service condition could theoretically be triggered if an instantiation causes an unrecoverable application halt, though not explicitly detailed.)
The primary concern noted is triggering side effects, such as making an HTTP GET request from the vulnerable system to an attacker-controlled server.
## Remediation
### Patches
- Upgrade to **Apache Parquet version 15.1.1 or later**.
### Workarounds
- Configure the system property `org.apache.parquet.avro.SERIALIZABLE_PACKAGES` to strictly restrict which Java packages are allowed for deserialization.
## Detection
- **Indicators of compromise:** Outbound network traffic originating from the application processing Parquet files, specifically HTTP GET requests directed towards suspicious or external servers, immediately following the processing of an untrusted Parquet file.
- **Detection methods and tools:** Utilizing the "canary exploit" tool created by F5 Labs to proactively test exposure by triggering an HTTP GET request via `javax.swing.JEditorKit` instantiation. Monitoring application logs for deserialization efforts involving potentially dangerous classes.
## References
- Vendor Advisory (Implied): Apache Parquet Security Advisory
- F5 Labs Report: hxxps://www.f5.com/labs/articles/threat-intelligence/canary-exploit-tool-for-cve-2025-30065-apache-parquet-avro-vulnerability
- PoC Tool: hxxps://github.com/F5-Labs/parquet-canary-exploit-rce-poc-CVE-2025-30065