• Researchers claim Apache Parquet was carrying a maximum-severity flaw
• It allows threat actors to run arbitrary code
• A patch was released, and users are urged to apply it

Apache Parquet, a columnar storage file format, was carrying a maximum-severity vulnerability that allowed threat actors to run arbitrary code on affected endpoints.

Parquet is a columnar storage file format optimized for efficient data storage and processing, commonly used in big data and analytics workloads, with Amazon, Google, Microsoft, and Meta just some of the large companies which use it.

The bug, spotted on April 1, 2025, by Amazon security researcher Key Li, is now tracked as CVE-2025-30065, and has a maximum severity score - 10/10 (critical).

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

View Deal

Patch and mitigations

“Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code,” a short description on the NVD page reads. “Users are recommended to upgrade to version 1.15.1, which fixes the issue.”

The problem reportedly stems from the deserialization of untrusted data, that allows threat actors to gain control of target systems via specially crafted Parquet files.

he caveat here is that the victim needs to be tricked into importing the files which, the researchers suggest, means that the threat is not as imminent, despite the 10/10 score.

Those that are unable to upgrade their Apache Parquet instances to version 1.15.1 straight away are advised to avoid untrusted Parquet files, or at least to carefully analyze them before taking action.

Furthermore, IT teams should monitor and log their Parquet processing systems more closely these days.

At press time, there was no evidence of abuse in the wild, although hackers usually start scanning for vulnerable endpoints once a patch is released, betting that many organizations don’t apply it on time.

Via BleepingComputer

You might also like

• Security experts take down spam network hitting millions of iOS devices
• We've rounded up the best password managers
• Take a look at our guide to the best authenticator app