Plataforma
java
Componente
org.apache.avro:avro-compiler
Corregido en
1.11.5
1.12.1
1.12.1
1.11.5
CVE-2025-33042 describes a Code Injection vulnerability discovered in the Apache Avro Java SDK. This flaw allows attackers to inject malicious code when generating records from untrusted Avro schemas, potentially leading to arbitrary code execution. The vulnerability impacts versions up to and including 1.12.0. A fix is available in version 1.12.1 and 1.11.5.
An attacker exploiting this vulnerability could craft a malicious Avro schema that, when processed by the Avro compiler, results in the execution of arbitrary code on the system. This could lead to complete system compromise, data exfiltration, or denial of service. The impact is particularly severe in environments where Avro schemas are sourced from untrusted origins, such as external APIs or user-provided configurations. The ability to inject code directly into the generated Java code makes this a high-risk vulnerability, similar in potential impact to other code injection flaws.
CVE-2025-33042 was publicly disclosed on 2026-02-13. The EPSS score is pending evaluation. Currently, there are no publicly known proof-of-concept exploits. It is listed on the NVD and CISA advisories.
Applications and systems that rely on the Apache Avro Java SDK to process Avro data from untrusted sources are at risk. This includes data pipelines, streaming applications, and systems that integrate with external APIs using Avro schemas. Organizations using older versions of Avro in production environments, particularly those with limited schema validation, are especially vulnerable.
• java / server:
find /path/to/avro/jars -name "avro-compiler-*.jar"• java / supply-chain: Check for the presence of vulnerable Avro compiler JAR files in your application dependencies using dependency scanning tools. • generic web: Inspect Avro schema files for suspicious code patterns or unusual data structures that could be indicative of malicious intent.
disclosure
Estado del Exploit
EPSS
0.07% (22% percentil)
The primary mitigation for CVE-2025-33042 is to upgrade to a patched version of the Apache Avro Java SDK. Upgrade to version 1.12.1 or 1.11.5. If upgrading immediately is not possible, consider implementing input validation on Avro schemas to prevent the processing of potentially malicious content. While not a complete solution, this can reduce the attack surface. Review any existing schema validation rules and strengthen them to reject schemas containing suspicious patterns. After upgrading, confirm the fix by attempting to compile a known malicious schema and verifying that it fails to generate executable code.
Actualice la versión de Apache Avro Java SDK a la versión 1.11.5 o superior, o a la versión 1.12.1 o superior. Esto corregirá la vulnerabilidad de inyección de código al generar registros específicos a partir de esquemas Avro no confiables. Descargue la versión más reciente desde el repositorio de Maven.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-33042 is a Code Injection vulnerability in Apache Avro Compiler affecting versions up to 1.12.0. It allows attackers to inject malicious code via crafted Avro schemas.
You are affected if you are using Apache Avro Compiler versions 1.12.0 or earlier. Check your dependencies and upgrade if necessary.
Upgrade to version 1.12.1 or 1.11.5. If immediate upgrade is not possible, implement schema validation to prevent processing malicious content.
As of the current date, there are no publicly known active exploits for CVE-2025-33042.
Refer to the Apache Avro project website and security mailing lists for the official advisory and updates: https://avro.apache.org/
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo pom.xml y te decimos al instante si estás afectado.