Exploit Tool Released for Critical Apache Parquet Vulnerability CVE-2025-30065
Security researchers at F5 Labs have released a functional proof-of-concept (PoC) exploit tool targeting CVE-2025-30065, a critical remote code execution (RCE) vulnerability in Apache Parquet. This release makes it easier for administrators to identify and secure potentially vulnerable servers.
The tool addresses shortcomings found in previously available PoCs, which were largely ineffective or nonfunctional. While primarily intended to demonstrate the real-world impact of the flaw, it also serves as a diagnostic aid for system administrators evaluating their infrastructure.
Apache Parquet is a widely used open-source columnar storage format, essential to many big data environments and data analytics workflows. The vulnerability, disclosed on April 1, 2025, was initially discovered by Amazon researcher Keyi Li. It affects all Apache Parquet versions up to and including 1.15.0.
Technically, CVE-2025-30065 stems from a deserialization flaw in the parquet-avro module of Apache Parquet for Java. Specifically, it fails to restrict which Java classes can be instantiated when processing embedded Avro data, potentially allowing attackers to execute unauthorized operations.
A day after disclosure, Endor Labs published an advisory warning about the risk of exploitation, particularly in environments where Parquet files are imported from external or untrusted sources. F5 Labs’ further analysis confirmed that while the flaw does not provide full RCE capabilities, it could be misused if a deserialized class performs side effects during instantiation, such as initiating outbound network requests.
“Although Parquet and Avro are widely used, exploitation requires a specific and uncommon set of conditions,” F5 Labs explained. “The vulnerability allows instantiation of Java objects, which must then perform an attacker-beneficial action during construction.”
Despite its complexity, the flaw poses a real risk in environments that routinely handle Parquet files from third-party sources. To help with testing exposure, F5 Labs released a "canary exploit" on GitHub, which triggers an HTTP GET request via instantiation of javax.swing.JEditorKit.
To mitigate the vulnerability, organizations are urged to:
-
Upgrade to Apache Parquet version 15.1.1 or newer.
-
Set the org.apache.parquet.avro.SERIALIZABLE_PACKAGES configuration to limit allowable packages for deserialization.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
