BleepingComputer reports that security researchers at F5 Labs have released a proof-of-concept exploit for CVE-2025-30065, a critical vulnerability affecting Apache Parquet, the popular open-source columnar data storage format used in big data analytics.
The flaw, first disclosed by Amazon researcher Keyi Li in April 2025, stems from insecure deserialization in the parquet-avro module, allowing remote code execution under specific conditions. While F5 Labs determined that the exploit’s real-world utility is limited, requiring rare configurations where instantiating Java classes causes harmful side effects, they warn that systems importing Parquet files from external sources could still be at risk. Their PoC tool, now available on GitHub, triggers a benign HTTP GET request to help administrators detect vulnerable setups. F5 emphasizes that the threat is context-specific, but urges prompt mitigation through upgrading to version 1.15.1 or later and properly configuring deserialization restrictions. “The issue requires a specific set of circumstances,” the report notes, but should not be overlooked in high-risk environments.
The flaw, first disclosed by Amazon researcher Keyi Li in April 2025, stems from insecure deserialization in the parquet-avro module, allowing remote code execution under specific conditions. While F5 Labs determined that the exploit’s real-world utility is limited, requiring rare configurations where instantiating Java classes causes harmful side effects, they warn that systems importing Parquet files from external sources could still be at risk. Their PoC tool, now available on GitHub, triggers a benign HTTP GET request to help administrators detect vulnerable setups. F5 emphasizes that the threat is context-specific, but urges prompt mitigation through upgrading to version 1.15.1 or later and properly configuring deserialization restrictions. “The issue requires a specific set of circumstances,” the report notes, but should not be overlooked in high-risk environments.
