A critical vulnerability (CVE-2025-30065) in Apache Parquet's Java Library, with a CVSS score of 10.0, allows remote attackers to execute arbitrary code by tricking systems into reading specially crafted Parquet files. The flaw affects versions up to 1.15.0 and has been fixed in 1.15.1. This poses a major risk to data pipelines and analytics systems, especially when handling untrusted files. Though not yet exploited in the wild, Apache project vulnerabilities have been frequent targets for threat actors. A recent example includes an active exploit of Apache Tomcat (CVE-2025-24813) and a cryptomining attack campaign linked to Chinese-speaking threat actors.

‍