A proof-of-concept exploit device has been publicly launched for a most severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it straightforward to seek out weak servers.
The device was launched by F5 Labs researchers who investigated the vulnerability after discovering that a number of present PoCs had been both weak or utterly non-functional.
The device serves as proof of CVE-2025-30065’s sensible exploitability and also can assist directors consider their environments and safe servers.
Apache Parquet is an open-source, columnar storage format designed for environment friendly information processing, extensively utilized by massive information platforms and organizations engaged in information engineering and analytics.
The flaw was first disclosed on April 1, 2025, following an earlier discovery by Amazon researcher Keyi Li. It was categorized as a distant code execution impacting all variations of Apache Parquet as much as and together with 1.15.0.
From a technical perspective, CVE-2025-30065 is a deserialization flaw within the parquet-avro module of Apache Parquet Java, the place the library fails to limit which Java courses will be instantiated when studying Avro information embedded in Parquet recordsdata.
On April 2, 2025, Endor Labs revealed a write-up warning in regards to the threat of exploitation and its potential affect on methods that import Parquet recordsdata from exterior factors.
Subsequent evaluation by F5 Labs exhibits that the flaw will not be a full deserialization RCE however can nonetheless be misused if a category has negative effects throughout instantiation, like when making a community request from the weak system to an attacker-controlled server.
Nonetheless, the researchers concluded that sensible exploitation is tough, and CVE-2025-30065 has restricted worth to attackers.
“Whereas Parquet and Avro are used extensively, this subject requires a selected set of circumstances that is not all that seemingly usually,” reads the F5 Labs report.
“Even then, this CVE solely permits attackers to set off the instantiation of a Java object which then will need to have a aspect impact that’s helpful for the attacker.”
Regardless of the low probability of exploitation, the researchers admit that some organizations course of Parquet recordsdata from exterior, usually unverified sources, and therefore the chance is important in some environments.
Because of this, F5 Labs created a “canary exploit” device (out there on GitHub) that triggers an HTTP GET request through instantiation of javax.swing.JEditorKit, permitting customers to confirm publicity.
Apart from utilizing the device, it is strongly recommended to improve to Apache Parquet model 15.1.1 or later, and configure ‘org.apache.parquet.avro.SERIALIZABLE_PACKAGES’ to limit which packages are allowed for deserialization.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and methods to defend towards them.
