Plattform
java
Komponente
org.apache.avro:avro-compiler
Behoben in
1.11.5
1.12.1
1.12.1
1.11.5
CVE-2025-33042 describes a Code Injection vulnerability discovered in the Apache Avro Java SDK. This flaw allows attackers to inject malicious code when generating records from untrusted Avro schemas, potentially leading to arbitrary code execution. The vulnerability impacts versions up to and including 1.12.0. A fix is available in version 1.12.1 and 1.11.5.
An attacker exploiting this vulnerability could craft a malicious Avro schema that, when processed by the Avro compiler, results in the execution of arbitrary code on the system. This could lead to complete system compromise, data exfiltration, or denial of service. The impact is particularly severe in environments where Avro schemas are sourced from untrusted origins, such as external APIs or user-provided configurations. The ability to inject code directly into the generated Java code makes this a high-risk vulnerability, similar in potential impact to other code injection flaws.
CVE-2025-33042 was publicly disclosed on 2026-02-13. The EPSS score is pending evaluation. Currently, there are no publicly known proof-of-concept exploits. It is listed on the NVD and CISA advisories.
Applications and systems that rely on the Apache Avro Java SDK to process Avro data from untrusted sources are at risk. This includes data pipelines, streaming applications, and systems that integrate with external APIs using Avro schemas. Organizations using older versions of Avro in production environments, particularly those with limited schema validation, are especially vulnerable.
• java / server:
find /path/to/avro/jars -name "avro-compiler-*.jar"• java / supply-chain: Check for the presence of vulnerable Avro compiler JAR files in your application dependencies using dependency scanning tools. • generic web: Inspect Avro schema files for suspicious code patterns or unusual data structures that could be indicative of malicious intent.
disclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
The primary mitigation for CVE-2025-33042 is to upgrade to a patched version of the Apache Avro Java SDK. Upgrade to version 1.12.1 or 1.11.5. If upgrading immediately is not possible, consider implementing input validation on Avro schemas to prevent the processing of potentially malicious content. While not a complete solution, this can reduce the attack surface. Review any existing schema validation rules and strengthen them to reject schemas containing suspicious patterns. After upgrading, confirm the fix by attempting to compile a known malicious schema and verifying that it fails to generate executable code.
Aktualisieren Sie die Version von Apache Avro Java SDK auf Version 1.11.5 oder höher, oder auf Version 1.12.1 oder höher. Dies behebt die Code Injection Schwachstelle beim Generieren bestimmter Records aus nicht vertrauenswürdigen Avro Schemas. Laden Sie die neueste Version aus dem Maven Repository herunter.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-33042 is a Code Injection vulnerability in Apache Avro Compiler affecting versions up to 1.12.0. It allows attackers to inject malicious code via crafted Avro schemas.
You are affected if you are using Apache Avro Compiler versions 1.12.0 or earlier. Check your dependencies and upgrade if necessary.
Upgrade to version 1.12.1 or 1.11.5. If immediate upgrade is not possible, implement schema validation to prevent processing malicious content.
As of the current date, there are no publicly known active exploits for CVE-2025-33042.
Refer to the Apache Avro project website and security mailing lists for the official advisory and updates: https://avro.apache.org/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.