Apache Parquet CVE-2025-30065

A critical vulnerability (CVE-2025-30065) in Apache Parquet's parquet-avro module allows arbitrary code execution through schema manipulation and crafted files. Cloudera advises upgrading to supported versions with fixes once they become available and implementing mitigations in the meantime.

Background:

On April 1, 2025, a critical vulnerability in the parquet-avro module of Apache Parquet (CVE-2025-30065, CVSS score 10.0) was announced.

Cloudera has determined the list of affected products, and is issuing this TSB to provide details of remediation for affected versions.

Upgraded versions are being released for all currently affected supported releases of Cloudera products. Customers using older versions are advised to upgrade to a supported release that has the remediation, once it becomes available.

Addressed in release/refresh/patch:

Upgrade your deployments to one of the NiFi Runtime versions that contain the fix:

• 1.28.0 or higher
• 1.27.0.2.3.14.2-2
• 1.25.0.2.3.13.2-3
• 1.24.0.2.3.12.4-4
• 1.23.2.2.3.11.1-4
• 1.21.0.2.3.9.3-5
• 1.20.0.2.3.8.3-3

For more information on upgrading a deployment to a newer Runtime version, see Changing NiFi runtime version.

For the latest updates on this issue, see the corresponding Knowledge article.