来源

关联漏洞

描述

CVE-2025-30065

介绍

# CVE-2025-30065 ==> Dangerous Deserialization in Parquet-Avro 🔥

---

### ⚠️ What’s the Risk?

* **Severity**: **10.0 (Critical ☠️)** on CVSS.
* **What it allows**: An attacker can craft a malicious Parquet file that embeds a custom Avro schema designed to trigger the instantiation of arbitrary Java classes.
* **Result**: Under certain conditions, this can lead to **remote code execution**.

---

### 🔍 How is it exploited?

To exploit this vulnerability, the following conditions must be met:

1. Your application uses the `parquet-avro` library.
2. It processes a Parquet file with an embedded Avro schema.
3. The attacker’s target Java class exists on the application classpath.
4. There are no safeguards (e.g., allow-lists or class restrictions).

**Example**: A malicious file might trigger `javax.swing.JEditorPane`, which performs HTTP requests—potentially giving the attacker network access or triggering side effects.

---

### 📂 Structure !

+ `ParquetExploitGenerator.java` – Generates a malicious Parquet file using a crafted Avro schema with default values that directly triggers instantiation of a standard Java class `(javax.swing.JEditorPane)`.
+ `PayloadRecord.java` – Payload class with a static initializer (legacy PoC component, now overwritten by the new logic).
+ `ParquetVictim.java` – Simulated victim application that reads the Parquet file and deserializes the Avro schema, triggering the payload under the right conditions.

---

### 🏗️ Build & Run !

Use `CVE-2025-30065.sh` (included) to automate compilation, dependency resolution via Maven, and execution of the full chain.

***Requirements:***

+ Java 8+
+ Maven

```
sudo chmod +x CVE-2025-30065.sh
./CVE-2025-30065.sh
```

---

### 🛠️ How to Protect Yourself

#### ✅ Immediate Action: **Update**

* Upgrade **Apache Parquet Java to version 1.15.1 or newer**.
* If you use packaged solutions like:

  * **Cloudera**: Upgrade to **Data Warehouse 1.10.1-b703** or later.
  * **IBM Db2**: Apply fix packs such as **11.1.4 FP7, 11.5.9, or 12.1.1**.

#### 🔒 Additional Mitigations

* **Enable class allow-lists**:

  * Use `org.apache.parquet.avro.SERIALIZABLE_PACKAGES` and set it to only trusted packages (avoid `*`).
  * Use `org.apache.avro.TRUSTED_PACKAGES` to restrict Avro schema behavior.
* **Block or scan Parquet files from untrusted sources**.
* **Test your pipeline** using PoC tools (like the F5 Canary exploit).

---

### ❗ Is it being exploited in the wild?

* **No confirmed active exploitation yet**, but **public PoCs exist**, making it likely to be abused soon.

---

### ✅ Quick Security Checklist

| Task                                        | Status |
| ------------------------------------------- | ------ |
| Upgrade Apache Parquet to ≥ 1.15.1          | ✅      |
| Review Cloudera/Db2 or similar dependencies | ✅      |
| Restrict allowed Java packages              | ✅      |
| Avoid ingesting untrusted Parquet files     | ✅      |
| Run PoC or canary exploit tests             | ✅      |
| Monitor system/network for anomalies        | ✅      |

---


### 🔒 **Disclaimer**

> This content is provided for **educational and informational purposes only**. The aim is to raise awareness about the security vulnerability **CVE-2025-30065** in Apache Parquet and promote safe practices in software development and deployment.
>
> **No part of this information is intended to encourage or support malicious activity, unauthorized access, or exploitation of systems.**
>
> Always ensure that you are authorized to test any system, and follow responsible disclosure and legal boundaries.
>
> The author(s) are not responsible for any misuse of the information presented.

---

文件快照

 [4.0K]  /data/pocs/18daffe3ff31f44443bad97394bc6bd7bf908564
├── [1.2K]  CVE-2025-30065.sh
├── [1.8K]  ParquetExploitGenerator.java
├── [ 692]  ParquetVictim.java
├── [1.2K]  PayloadRecord.java
└── [3.7K]  README.md

0 directories, 5 files

备注