After reviewing the provided Proof of Concept (PoC) for CVE-2025-30065, it appears that the vulnerability exploits the deserialization mechanism in Apache Parquet's handling of Avro schemas, particularly through the use of the default property to instantiate arbitrary classes.# CVE-2025-30065 Proof of Concept - Apache Parquet RCE
> ⚠️ FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH ONLY ⚠️
> Do not use in unauthorized environments. This PoC is provided **as-is** and the author is not responsible for misuse.
## Description
This Proof of Concept demonstrates **CVE-2025-30065**, a Remote Code Execution vulnerability affecting **Apache Parquet** when using Avro schemas.
It leverages insecure deserialization through the `default` field in Avro, allowing instantiation of arbitrary Java classes.
The PoC generates a malicious `.parquet` file containing a crafted schema and embedded warning header.
Execution occurs if the vulnerable system deserializes this schema and has the target payload class in its classpath.
## Author
**@h3st4k3r** — VM, CTI & researcher
https://github.com/h3st4k3r
## File
- `POC-CVE-2025-30065-ParquetExploitGenerator.java`: Main PoC source code. Generates a malicious Parquet file.
## Requirements
- Java 8+
- Maven (for dependencies)
- Apache Parquet `parquet-avro` dependency (vulnerable: ≤ 1.15.0)
- Hadoop Core (for `Path` and `Configuration` classes)
## Build & Run
```bash
# Get Parquet Avro dependency
mvn dependency:get -Dartifact=org.apache.parquet:parquet-avro:1.15.0
# Compile
javac -cp ~/.m2/repository/org/apache/parquet/*:~/.m2/repository/org/apache/hadoop/* ParquetExploitGenerator.java
# Run
java -cp .:~/.m2/repository/org/apache/parquet/*:~/.m2/repository/org/apache/hadoop/* ParquetExploitGenerator
[4.0K] /data/pocs/029f917ea6a1a301b6f70ba9c920631a866ba4ce
├── [3.9K] POC-CVE-2025-30065-ParquetExploitGenerator.java
└── [1.5K] README.md
0 directories, 2 files