Apache Parquet users warned of maximum risk security flaw, told to patch now

News
By published

Flaw can lead to arbitrary code execution on vulnerable endpoints

Closing the cybersecurity skills gap
(Image credit: Shutterstock)
  • Researchers claim Apache Parquet was carrying a maximum-severity flaw
  • It allows threat actors to run arbitrary code
  • A patch was released, and users are urged to apply it

Apache Parquet, a columnar storage file format, was carrying a maximum-severity vulnerability that allowed threat actors to run arbitrary code on affected endpoints.

Parquet is a columnar storage file format optimized for efficient data storage and processing, commonly used in big data and analytics workloads, with Amazon, Google, Microsoft, and Meta just some of the large companies which use it.

The bug, spotted on April 1, 2025, by Amazon security researcher Key Li, is now tracked as CVE-2025-30065, and has a maximum severity score - 10/10 (critical).

Monitor your credit score with TransUnion starting at $29.95/month

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

View Deal

Patch and mitigations

“Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code,” a short description on the NVD page reads. “Users are recommended to upgrade to version 1.15.1, which fixes the issue.”

The problem reportedly stems from the deserialization of untrusted data, that allows threat actors to gain control of target systems via specially crafted Parquet files.

he caveat here is that the victim needs to be tricked into importing the files which, the researchers suggest, means that the threat is not as imminent, despite the 10/10 score.

Those that are unable to upgrade their Apache Parquet instances to version 1.15.1 straight away are advised to avoid untrusted Parquet files, or at least to carefully analyze them before taking action.

Furthermore, IT teams should monitor and log their Parquet processing systems more closely these days.

At press time, there was no evidence of abuse in the wild, although hackers usually start scanning for vulnerable endpoints once a patch is released, betting that many organizations don’t apply it on time.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Abstract image of cyber security in action.

FBI, CISA warns of new Fast Flux DNS evasion being used by cyber gangs
Abstract image of cyber security in action.

Australia's largest pension funds hit by hackers, thousands of dollars stolen
The Nintendo Switch 2 consoel boxes on a stand

The Switch 2’s $450 price tag is a ‘strategic balancing act’ and Nintendo could be ‘building in a buffer’ in regards to tariffs, analysts say
See more latest
Most Popular
The Nintendo Switch 2 consoel boxes on a stand
The Switch 2’s $450 price tag is a ‘strategic balancing act’ and Nintendo could be ‘building in a buffer’ in regards to tariffs, analysts say
A collage of Dante in Devil May Cry, Molly in Dying for Sex, and Hub in The Bondsman
7 new movies and TV shows to stream on Netflix, Prime Video, Max, and more this weekend (April 4)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, April 5 (game #398)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Saturday, April 5 (game #664)
Quordle on a smartphone held in a hand
Quordle hints and answers for Saturday, April 5 (game #1167)
Lexar Play Pro Micro SD Express card.
The Nintendo Switch 2 isn't even out yet, but I already want to get my hands on this 1TB Micro SD Express card from Lexar
A very subtle image of money falling in front of Nvidia's HQ while GPUs pop out
Latest Nvidia RTX 5060 Ti GPU rumor suggests good news and bad when it comes to price
The Canon EOS R7 camera sitting on a stone step
Canon EOS R7 Mark II rumored for 2025 with these significant upgrades – watch out Fujifilm
Abstract image of cyber security in action.
FBI, CISA warns of new Fast Flux DNS evasion being used by cyber gangs
A laptop with the Windows 11 desktop on screen, glowing, while on a work desk
Windows 11 is getting a very handy change to the taskbar, as Microsoft takes a leaf from Apple’s Mac playbook