A maximum severity security vulnerability has been disclosed in Apache Parquet’s Java Library that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances.
Apache Parquet is a free and open-source columnar data file format that’s designed for efficient data processing and retrieval, providing support for complex data, high-performance compression, and encoding schemes. It was first launched in 2013.
The vulnerability in question is tracked as CVE-2025-30065. It carries a CVSS score of 10.0.
“Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code,” the project maintainers said in an advisory.
According to Endor Labs, successful exploitation of the flaw requires tricking a vulnerable system into reading a specially crafted Parquet file to obtain code execution.
“This vulnerability can impact data pipelines and analytics systems that import Parquet files, particularly when those files come from external or untrusted sources,” the company said. “If attackers can tamper with the files, the vulnerability may be triggered.”
The shortcoming impacts all versions of the software up to and including 1.15.0. It has been addressed in version 1.15.1. Keyi Li of Amazon has been credited with discovering and reporting the flaw.
While there is no evidence that the flaw has been exploited in the wild, vulnerabilities in Apache projects have become a lightning rod for threat actors looking to opportunistically breach systems and deploy malware.
Last month, a critical security flaw in Apache Tomcat (CVE-2025-24813, CVSS score: 9.8) came under active exploitation within 30 hours of public disclosure.
Cloud security firm Aqua, in an analysis published this week, said it discovered a new attack campaign that targets Apache Tomcat servers with easy-to-guess credentials to deploy encrypted payloads that are designed to steal SSH credentials for lateral movement and ultimately hijack the system resources for illicit cryptocurrency mining.
The payloads are also capable of establishing persistence and acting as a Java-based web shell that “enables the attacker to execute arbitrary Java code on the server,” Assaf Morag, director of threat intelligence at Aqua, said.
“In addition, the script is designed to check if the user has root privileges and if so it executes two functions that optimize CPU consumption for better cryptomining results.”
The campaign, which affects both Windows and Linux systems, is likely assessed to be the work of a Chinese-speaking threat actor owing to the presence of Chinese language comments in the source code.
