- The researchers claim that Aimé prosecutor was carrying a flaw of maximum severity
- It allows threat actors to execute arbitrary code
- A fix has been published and users are invited to apply it
Apache Parquet, a storage file format in columns, transported a vulnerability of maximum severity which allowed threat actors to execute arbitrary code on affected termination points.
Prosecutor’s office is a storage format storage in optimized columns for effective data storage and processing, commonly used in the workloads of Big Data and Analytics, with Amazon, Google, Microsoft and Meta only some of the large companies that use it.
The bug, spotted on April 1, 2025 by the security researcher Amazon, Key Li, is now followed as CVE-2025-30065, and has a maximum gravity score-10/10 (critic).
Patch and attenuations
“The scheme analysis in the Parquet-Avro module of Apache Parquet 1.15.0 and the previous versions allow bad players to execute arbitrary code”, reads a brief description of the NVD page. “Users are recommended to go to version 1.15.1, which solves the problem.”
The problem would come from the deialization of unreliable data, which allows threat stakeholders to take control of target systems via specially designed parquet files.
He warns here that the victim must be deceived in the importation of files which, suggest the researchers, means that the threat is not as imminent, despite the 10/10 score.
Those who are unable to upgrade their Apache parquet instances in version 1.15.1 are immediately invited to avoid unreliable parquet files, or at least to analyze them carefully before acting.
In addition, IT teams should monitor and record their parquet processing systems more closely these days.
At the time of the press, there was no evidence of abuse in the wild, although the pirates generally begin to scan vulnerable parameters once a correction is released, betting that many organizations do not apply it in time.
Via Bleeping Compompute
