Skip to main content

Avro

7 CVEs product

Monthly

CVE-2025-33042 LIB HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]

Apache Java Code Injection Avro Red Hat
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2024-47561 Maven CRITICAL PATCH Act Now

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache Java Avro +2
NVD
CVSS 4.0
9.2
EPSS
3.3%
CVE-2023-39410 LIB HIGH PATCH This Week

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.11.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache Deserialization Avro
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2023-37475 Go HIGH POC PATCH This Week

Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Avro
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-36125 Cargo HIGH PATCH This Week

It is possible to crash (panic) an application by providing a corrupted data to be read.14.0 (previously known as avro-rs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Avro
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-36124 LIB HIGH PATCH This Week

It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.14.0 (previously known as avro-rs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Apache Denial Of Service Avro
NVD VulDB
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-35724 Cargo HIGH PATCH This Week

It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU.14.0 (previously known as avro-rs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Avro
NVD
CVSS 3.1
7.5
EPSS
1.6%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]

Apache Java Code Injection +2
NVD VulDB
EPSS 3% CVSS 9.2
CRITICAL PATCH Act Now

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache +4
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.11.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Apache Deserialization +1
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Avro
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

It is possible to crash (panic) an application by providing a corrupted data to be read.14.0 (previously known as avro-rs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Avro
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.14.0 (previously known as avro-rs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Apache Denial Of Service Avro
NVD VulDB
EPSS 2% CVSS 7.5
HIGH PATCH This Week

It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU.14.0 (previously known as avro-rs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Avro
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy