来源

关联漏洞

描述

​After reviewing the provided Proof of Concept (PoC) for CVE-2025-30065, it appears that the vulnerability exploits the deserialization mechanism in Apache Parquet's handling of Avro schemas, particularly through the use of the default property to instantiate arbitrary classes.

介绍

# CVE-2025-30065 Proof of Concept - Apache Parquet RCE

> ⚠️ FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH ONLY ⚠️  
> Do not use in unauthorized environments. This PoC is provided **as-is** and the author is not responsible for misuse.

## Description

This Proof of Concept demonstrates **CVE-2025-30065**, a Remote Code Execution vulnerability affecting **Apache Parquet** when using Avro schemas.  
It leverages insecure deserialization through the `default` field in Avro, allowing instantiation of arbitrary Java classes.

The PoC generates a malicious `.parquet` file containing a crafted schema and embedded warning header.  
Execution occurs if the vulnerable system deserializes this schema and has the target payload class in its classpath.

## Author

**@h3st4k3r** — VM, CTI & researcher  
https://github.com/h3st4k3r

## File

- `POC-CVE-2025-30065-ParquetExploitGenerator.java`: Main PoC source code. Generates a malicious Parquet file.

## Requirements

- Java 8+
- Maven (for dependencies)
- Apache Parquet `parquet-avro` dependency (vulnerable: ≤ 1.15.0)
- Hadoop Core (for `Path` and `Configuration` classes)

## Build & Run

```bash
# Get Parquet Avro dependency
mvn dependency:get -Dartifact=org.apache.parquet:parquet-avro:1.15.0

# Compile
javac -cp ~/.m2/repository/org/apache/parquet/*:~/.m2/repository/org/apache/hadoop/* ParquetExploitGenerator.java

# Run
java -cp .:~/.m2/repository/org/apache/parquet/*:~/.m2/repository/org/apache/hadoop/* ParquetExploitGenerator

文件快照

 [4.0K]  /data/pocs/029f917ea6a1a301b6f70ba9c920631a866ba4ce
├── [3.9K]  POC-CVE-2025-30065-ParquetExploitGenerator.java
└── [1.5K]  README.md

0 directories, 2 files

备注