Platform
java
Component
org.apache.avro:avro-compiler
Fixed in
1.11.5
1.12.1
1.12.1
1.11.5
CVE-2025-33042 describes a Code Injection vulnerability discovered in the Apache Avro Java SDK. This flaw allows attackers to inject malicious code when generating records from untrusted Avro schemas, potentially leading to arbitrary code execution. The vulnerability impacts versions up to and including 1.12.0. A fix is available in version 1.12.1 and 1.11.5.
An attacker exploiting this vulnerability could craft a malicious Avro schema that, when processed by the Avro compiler, results in the execution of arbitrary code on the system. This could lead to complete system compromise, data exfiltration, or denial of service. The impact is particularly severe in environments where Avro schemas are sourced from untrusted origins, such as external APIs or user-provided configurations. The ability to inject code directly into the generated Java code makes this a high-risk vulnerability, similar in potential impact to other code injection flaws.
CVE-2025-33042 was publicly disclosed on 2026-02-13. The EPSS score is pending evaluation. Currently, there are no publicly known proof-of-concept exploits. It is listed on the NVD and CISA advisories.
Exploit Status
EPSS
0.07% (22% percentile)
The primary mitigation for CVE-2025-33042 is to upgrade to a patched version of the Apache Avro Java SDK. Upgrade to version 1.12.1 or 1.11.5. If upgrading immediately is not possible, consider implementing input validation on Avro schemas to prevent the processing of potentially malicious content. While not a complete solution, this can reduce the attack surface. Review any existing schema validation rules and strengthen them to reject schemas containing suspicious patterns. After upgrading, confirm the fix by attempting to compile a known malicious schema and verifying that it fails to generate executable code.
Upgrade the version of Apache Avro Java SDK to version 1.11.5 or later, or to version 1.12.1 or later. This will correct the code injection vulnerability when generating specific records from untrusted Avro schemas. Download the latest version from the Maven repository.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-33042 is a Code Injection vulnerability in Apache Avro Compiler affecting versions up to 1.12.0. It allows attackers to inject malicious code via crafted Avro schemas.
You are affected if you are using Apache Avro Compiler versions 1.12.0 or earlier. Check your dependencies and upgrade if necessary.
Upgrade to version 1.12.1 or 1.11.5. If immediate upgrade is not possible, implement schema validation to prevent processing malicious content.
As of the current date, there are no publicly known active exploits for CVE-2025-33042.
Refer to the Apache Avro project website and security mailing lists for the official advisory and updates: https://avro.apache.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.