A critical remote code execution (RCE) vulnerability in Apache Parquet, identified as CVE-2025-30065, with a CVSS score of 10.0, has been discovered. Continue reading this Cybersecurity Threat Advisory to learn how to effectively mitigate your risks.
What is the threat?
CVE-2025-30065 allows an attacker to execute arbitrary code on a given system. This can be done by taking advantage of the current insecure deserialization process in the Parquet file format. If the vulnerability is not properly secured, attackers can exploit the flaw to run malicious code on the system.
Why is it noteworthy?
Apache Parquet is used across various data processing platforms, including Hadoop, AWS, Google Cloud, Azure, and data lakes. Its widespread adoption means many organizations could be at risk. Since Parquet plays a key role in data storage and analytics, this vulnerability poses a critical threat that requires swift action to patch and secure systems.
What is the exposure or risk?
The is a high risk vulnerability, particularly for organizations relying on Parquet for data processing, analytics, and machine learning. A successful exploitation enables attackers to complete RCE, as well as compromising the integrity of data systems. This could result in unauthorized data access, data exfiltration, service disruptions, or the deployment of malicious software like ransomware, significantly threatening both security and business continuity.
What are the recommendations?
Barracuda recommends the following actions to mitigate risks:
- Upgrade to Apache version 1.15.1.
- Review and update access permissions for systems using Apache Parquet regularly to ensure that only authorized users have access.
- Monitor data pipelines continuously for any unusual activity or unauthorized access attempts, particularly those that automatically consume Parquet files from untrusted sources.
- Develop an incident response plan that establishes procedures for identifying, containing, and remediating exploitation attempts on systems using Apache Parquet. This ensures all relevant personnel are trained on their roles during a security incident.
- Use network segmentation that isolates critical infrastructure from systems that utilize Apache Parquet.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/
- https://access.redhat.com/security/cve/CVE-2025-30065
- https://github.com/h3st4k3r/CVE-2025-30065
- https://nvd.nist.gov/vuln/detail/CVE-2025-30065
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.