Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-30065 PoC — Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file

Source
https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065
Associated Vulnerability
Title:Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadata (CVE-2025-30065)
Description:Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes the issue.
Readme
# CVE-2025-30065

This repository illustrates how to exploit CVE-2025-30065 and achieve remote class instantiation and  trigger a 
network request from within the victim application i.e the JVM thereby achieving SSRF.

The generated parquet in [Malicious.java](src%2Fmain%2Fjava%2Fcom%2Fevil%2FMalicious.java) assumes that the class [RCEPayload.java](src%2Fmain%2Fjava%2Fcom%2Fevil%2FRCEPayload.java)
is present in the classpath which is not realistic. You can trigger that PoC by executing [Reader.java](src%2Fmain%2Fjava%2Fcom%2Fvictim%2FReader.java).

![image.png](images%2Fimage.png)


[MaliciousSSRF.java](src%2Fmain%2Fjava%2Fcom%2Fevil%2FMaliciousSSRF.java) is more feasible (from an attacker perspective) and triggers a network connection which could be internal or external.
One could also find other gadgets to achieve RCE (what is tricky is to find an instructor accepting a string as arg and leading to a RCE it is not like plain java deser). 
Similarly, PoC can be executed using [ReaderSSRF.java](src%2Fmain%2Fjava%2Fcom%2Fvictim%2FReaderSSRF.java).
![image-ssrf.png](images%2Fimage-ssrf.png)

For more details about the internal of the vulnerability and the fix, you can have a look at my blogpost:  www.deep-kondah.com/parquet-under-fire-a-technical-analysis-of-cve-2025-30065
File Snapshot

 [4.0K]  /data/pocs/4235d4975e9b300a67f55f880df425e67ec977b7
├── [ 147]  DISCLAIMER.md
├── [  83]  exploit.html
├── [4.0K]  images
│   ├── [ 26K]  image.png
│   └── [ 52K]  image-ssrf.png
├── [1.5K]  pom.xml
├── [1.3K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  com
                ├── [4.0K]  evil
                │   ├── [1.4K]  GenerateMaliciousParquet.java
                │   ├── [1.5K]  GenerateMaliciousParquetSSRF.java
                │   └── [ 509]  RCEPayload.java
                └── [4.0K]  victim
                    ├── [ 558]  Reader.java
                    └── [ 567]  ReaderSSRF.java

7 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →