Which versions of Parquet Java are affected by CVE-2025-30065?

Organizations using the parquet-avro module of Apache Parquet 1.15.0 and previous face critical risk from CVE-2025-30065, a insecure deserialization vulnerability rated CVSS 10.0.. A patch is available.

Is there a public PoC exploit available for CVE-2025-30065?

Yes, a public proof-of-concept exploit is available for CVE-2025-30065. Prioritise patching immediately. EPSS: 0.5%.

How to fix or mitigate CVE-2025-30065?

Within 24 hours: Identify all affected systems running the parquet-avro module of Apache Parquet 1.15.0 and previou and apply vendor patches immediately. Restrict deserialization to trusted data sources and implement integrity checks.

Parquet Java CVE-2025-30065

Q: What is the CVSS score of CVE-2025-30065?

CVE-2025-30065 has a CVSS 4.0 base score of 10.0 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.5%.

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-04-01 security@apache.org

Apache RCE Deserialization Parquet Java Red Hat

10.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

10.0 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Red Hat

10.0 CRITICAL

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:34 vuln.today

Patch released

Mar 28, 2026 - 18:34 nvd

Patch available

PoC Detected

Jul 28, 2025 - 14:23 vuln.today

Public exploit code

CVE Published

Apr 01, 2025 - 08:15 nvd

CRITICAL 10.0

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

75 maven packages depend on org.apache.parquet:parquet-avro (32 direct, 43 indirect)

Ecosystem-wide dependent count for version 1.15.1.

DescriptionCVE.org

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code

Users are recommended to upgrade to version 1.15.1, which fixes the issue.

AnalysisAI

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue. Affected products include: Apache Parquet Java. Version information: version 1.15.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.

Vendor StatusVendor

CVE-2025-30065 vulnerability details – vuln.today

Back