CVE-2025-46762HIGH 8.1EPSS p69.9%

CVE-2025-46762CVE-2025-46762

Description

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.45% probability of exploitation · percentile 69.9% · 2026-06-18T12:00:27Z
Published2025-05-06
Last modified2025-09-02

Underlying weaknesses· 1

CWE-73

References

  1. https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp
  2. http://www.openwall.com/lists/oss-security/2025/05/02/1

1

TypeTargetConfidenceTier
WeaknessExternal Control of File Name or Pathcwe-730%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-30065
CVE
CVE-2026-46718
CVE
CVE-2025-46183
CVE
CVE-2025-6544
CVE
CVE-2025-10492
CVE
CVE-2025-54920
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.