A recently discovered critical severity security vulnerability in Apache Parquet’s Java Library could potentially allow remote attackers to execute arbitrary code on vulnerable systems if exploited successfully.
Apache Parquet is an open-source, columnar data file format introduced in 2013, designed to facilitate efficient data processing and retrieval. It supports complex data, high-performance compression, and encoding schemes.
The identified vulnerability is tracked as CVE-2025-30065 and has a CVSS score of 10.0, indicating a high level of severity.
According to the project maintainers, the vulnerability arises from the schema parsing in the parquet-avro module of Apache Parquet versions 1.15.0 and earlier, allowing malicious actors to execute arbitrary code.
Endor Labs notes that successful exploitation of this flaw requires deceiving a vulnerable system into reading a specially crafted Parquet file, thereby achieving code execution.
This vulnerability can significantly impact data pipelines and analytics systems, particularly those that import Parquet files from external or untrusted sources. If attackers manage to tamper with these files, the vulnerability may be triggered, as highlighted by the company in its advisory.
The issue affects all versions up to and including 1.15.0 and has been addressed in version 1.15.1. Keyi Li of Amazon is credited with the discovery and reporting of this flaw.
Although there is currently no evidence of this vulnerability being exploited in the wild, Apache vulnerabilities have been a frequent target for threat actors seeking to breach systems and deploy malware opportunistically.
Last month, a critical security flaw in Apache Tomcat, CVE-2025-24813 (CVSS score: 9.8), came under active exploitation within 30 hours of its public disclosure.
A recent analysis by cloud security firm Aqua revealed a new attack campaign targeting Apache Tomcat servers with easily guessable credentials to deploy encrypted payloads. These payloads are designed to steal SSH credentials for lateral movement and eventually hijack system resources for illicit cryptocurrency mining.
These payloads can also establish persistence and function as a Java-based web shell, enabling attackers to execute arbitrary Java code on the server, according to Assaf Morag, director of threat intelligence at Aqua.
Furthermore, the script checks for root privileges and, if found, optimizes CPU consumption for better cryptocurrency mining outcomes.
This campaign, which affects both Windows and Linux systems, is believed to be the work of a Chinese-speaking threat actor due to the presence of Chinese comments in the source code.
