Do Son 
A vulnerability in Apache Parquet, designated as CVE-2025-30065 and carrying the maximum CVSS score of 10.0, has entered a more dangerous phase: researchers at F5 Labs have released a functional exploit demonstrating its viability in real-world attack scenarios. This development significantly lowers the barrier for threat actors to compromise vulnerable servers.
Apache Parquet is an open, columnar storage format widely employed in analytics, big data processing, and data engineering projects. The vulnerability resides in the parquet-avro component of the Java library, which is responsible for reading Avro data within Parquet files.
The flaw lies in the absence of restrictions on which Java classes can be instantiated during deserialization. This oversight opens the door to exploitation with unintended side effects, such as forcing an HTTP request to a server controlled by an attacker.
Although the vulnerability was initially disclosed in early April by Amazon researcher Keyi Li, most publicly available proof-of-concept tools at the time were either unreliable or entirely ineffective. In response, F5 Labs developed and published a non-malicious testing exploit, referred to as the Canary Exploit. While it does no harm, it verifies whether a system is vulnerable by invoking the javax.swing.JEditorKit class, which performs a network request.
F5 Labs clarifies that this is not a case of direct remote code execution. However, if instantiating a particular class results in network communication, data retrieval, or other meaningful side effects, the vulnerability may be leveraged as part of a broader attack chain. This is especially concerning for infrastructures that automatically process externally sourced Parquet files—such as ETL pipelines in data analytics systems.
Despite the need for a rare alignment of conditions for a successful attack, the exploit authors stress that the risk should not be underestimated. In enterprise environments where Parquet files originate from third-party sources, the potential for compromise is significant.
To mitigate the threat, security experts recommend upgrading to Apache Parquet version 1.15.1 or later and configuring the org.apache.parquet.avro.SERIALIZABLE_PACKAGES parameter to explicitly define which packages are permitted for deserialization.
The public release of a fully functional exploit may spur waves of scanning and automated attacks, particularly targeting outdated and poorly secured systems. Thus, even with the technical complexity involved, defenders must respond swiftly and decisively.
