Apache Parquet exploit tool detect servers vulnerable to critical flaw

A proof-of-concept exploit has been publicly released for a maximum severity Apache Parquet vulnerability, tracked as CVE-2025-30065, making it easy to find vulnerable servers.

The tool was released by F5 Labs researchers who investigated the vulnerability after finding that multiple existing PoCs were either weak or completely non-functional.

The tool serves as proof of CVE-2025-30065’s practical exploitability and can also help administrators evaluate their environments and secure servers.

Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.

The flaw was first disclosed on April 1, 2025, following an earlier discovery by Amazon researcher Keyi Li. It was categorized as a remote code execution impacting all versions of Apache Parquet up to and including 1.15.0.

From a technical perspective, CVE-2025-30065 is a deserialization flaw in the parquet-avro module of Apache Parquet Java, where the library fails to restrict which Java classes can be instantiated when reading Avro data embedded in Parquet files.

On April 2, 2025, Endor Labs published a write-up warning about the risk of exploitation and its potential impact on systems that import Parquet files from external points.

Subsequent analysis by F5 Labs shows that the flaw is not a full deserialization RCE but can still be misused if a class has side effects during instantiation, like when making a network request from the vulnerable system to an attacker-controlled server.

However, the researchers concluded that practical exploitation is difficult, and CVE-2025-30065 has limited value to attackers.

“While Parquet and Avro are used widely, this issue requires a specific set of circumstances that isn’t all that likely in general,” reads the F5 Labs report.

“Even then, this CVE only allows attackers to trigger the instantiation of a Java object which then must have a side effect that is useful for the attacker.”

Despite the low likelihood of exploitation, the researchers admit that some organizations process Parquet files from external, often unverified sources, and hence the risk is significant in some environments.

For this reason, F5 Labs created a “canary exploit” tool (available on GitHub) that triggers an HTTP GET request via instantiation of javax.swing.JEditorKit, allowing users to verify exposure.

Besides using the tool, it is recommended to upgrade to Apache Parquet version 15.1.1 or later, and configure ‘org.apache.parquet.avro.SERIALIZABLE_PACKAGES’ to restrict which packages are allowed for deserialization.