No known exploits yet: Neither Endor Labs nor NIST’s NVD entry reported any exploit attempts using CVE-2025-30065 as of publication of this article. Apache silently pushed a fix with the release of 1.15.1 on March 16, 2025, with a GitHub redirect to changes made in the update.Endor Labs advised prompt patching of the vulnerability, which poses threats to the confidentiality, integrity, and availability of affected systems. It cautioned developers that the absence of reported attacks should not delay action as the issue is now public knowledge.One mitigating factor for vulnerable organizations is the requirement for user interaction for a successful exploitation. Only a malicious Parquet file imported by the user into their systems can trigger the vulnerability.But that may not save them for long. Last month, a critical flaw was found in another Java-based service from Apache, Tomcat, and it was exploited within 30 hours of public disclosure.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3954647/big-hole-in-big-data-critical-deserialization-bug-in-apache-parquet-allows-rce.html
