Apache Parquet Flaw: 10.0 CVSS Score, Urgent Patch Needed
A critical vulnerability has been identified in Apache Parquet—an open data storage format widely used in analytics and big data processing ecosystems. Catalogued as CVE-2025-30065, the flaw received a perfect CVSS v4 score of 10.0, denoting the highest possible level of severity. The issue has been resolved in Parquet version 1.15.1.
The vulnerability stems from unsafe data deserialization within the parquet-avro module. Exploitation is possible through the introduction of a specially crafted Parquet file, which can trigger the remote execution of arbitrary code on a targeted system. A successful attack may grant the adversary full control over the system, enabling data theft or alteration, service disruption, or the deployment of malicious software—including ransomware.
Although exploitation requires a user to import the malicious file, the threat remains substantial. Apache Parquet is deeply embedded in the infrastructure of major platforms—from cloud providers like Amazon, Google, and Azure, to analytics ecosystems such as Hadoop and Spark. The format plays a pivotal role in data lakes, ETL pipelines, and analytical frameworks. Organizations leveraging Parquet include Netflix, Uber, Airbnb, and LinkedIn.
The flaw was first discovered by Amazon researcher Keyi Li, who reported it through a responsible disclosure process. The vulnerability was officially disclosed on April 1, 2025. According to a brief bulletin published by Openwall, all versions of Parquet up to and including 1.15.0—dating back to at least version 1.8.0—are affected. The underlying flaw allows an attacker to craft a malicious Avro schema, which when parsed, executes arbitrary instructions on the host system.
Experts at Endor Labs warn that the risk is particularly acute for environments that ingest files from external or untrusted sources—this includes all stages of the data processing chain, from ingestion and storage to downstream analytical tools. Analysts stress the urgency of identifying vulnerable Parquet versions in production environments and conducting immediate audits.
If an upgrade to the patched version is not feasible, it is strongly advised to refrain from processing Parquet files originating from untrusted sources or to enforce rigorous schema validation prior to parsing. Enhanced logging and real-time monitoring of systems handling Parquet files are also recommended.
While there are currently no confirmed reports of active exploitation of CVE-2025-30065, the critical nature of the vulnerability and the widespread adoption of Apache Parquet significantly elevate the risk. Administrators are strongly urged to upgrade to version 1.15.1 without delay.