🚨 Critical RCE Vulnerability in Apache Parquet (CVE-2025-30065)
A newly disclosed vulnerability, CVE-2025-30065, affects Apache Parquet versions up to 1.15.0, specifically within the parquet-avro module’s schema parsing logic. This critical remote code execution (RCE) vulnerability can be exploited by tricking systems into processing a malicious Parquet file, potentially leading to arbitrary code execution.
While the CVSS score is critical, the current Exploitation Probability (EPSS) score is 0.09%, suggesting low likelihood of exploitation at this time. However, we’ve seen in past cases that EPSS scores can escalate quickly as new exploitation techniques emerge. The latest EPSS risk data is updated daily and will be automatically reflected in your Apiiro risks and insights, helping you prioritize response based on real-world context.
Apiiro Helps You Respond Quickly
🛡 SCA policies at work
Apiiro’s SCA solution automatically detects vulnerable open source libraries like parquet-avro, so you can quickly assess impact and take action.
- Go to Solutions > SCA > Risks
- Search for CVE-2025-30065
🔍 Discover vulnerable dependencies in your applications
Use the Risk Graph Explorer to query your application inventory and identify all the vulnerable versions of Apache Parquet.
✅ Mitigate
- Upgrade to Apache Parquet 1.15.1 as soon as possible.
- Review any recent handling of external or untrusted Parquet files.
- If your systems process uploaded data from third parties, consider implementing additional file validation or sandboxing.