平台
java
组件
org.apache.avro:avro-compiler
修复版本
1.11.5
1.12.1
1.12.1
1.11.5
CVE-2025-33042 describes a Code Injection vulnerability discovered in the Apache Avro Java SDK. This flaw allows attackers to inject malicious code when generating records from untrusted Avro schemas, potentially leading to arbitrary code execution. The vulnerability impacts versions up to and including 1.12.0. A fix is available in version 1.12.1 and 1.11.5.
An attacker exploiting this vulnerability could craft a malicious Avro schema that, when processed by the Avro compiler, results in the execution of arbitrary code on the system. This could lead to complete system compromise, data exfiltration, or denial of service. The impact is particularly severe in environments where Avro schemas are sourced from untrusted origins, such as external APIs or user-provided configurations. The ability to inject code directly into the generated Java code makes this a high-risk vulnerability, similar in potential impact to other code injection flaws.
CVE-2025-33042 was publicly disclosed on 2026-02-13. The EPSS score is pending evaluation. Currently, there are no publicly known proof-of-concept exploits. It is listed on the NVD and CISA advisories.
Applications and systems that rely on the Apache Avro Java SDK to process Avro data from untrusted sources are at risk. This includes data pipelines, streaming applications, and systems that integrate with external APIs using Avro schemas. Organizations using older versions of Avro in production environments, particularly those with limited schema validation, are especially vulnerable.
• java / server:
find /path/to/avro/jars -name "avro-compiler-*.jar"• java / supply-chain: Check for the presence of vulnerable Avro compiler JAR files in your application dependencies using dependency scanning tools. • generic web: Inspect Avro schema files for suspicious code patterns or unusual data structures that could be indicative of malicious intent.
disclosure
漏洞利用状态
EPSS
0.07% (22% 百分位)
The primary mitigation for CVE-2025-33042 is to upgrade to a patched version of the Apache Avro Java SDK. Upgrade to version 1.12.1 or 1.11.5. If upgrading immediately is not possible, consider implementing input validation on Avro schemas to prevent the processing of potentially malicious content. While not a complete solution, this can reduce the attack surface. Review any existing schema validation rules and strengthen them to reject schemas containing suspicious patterns. After upgrading, confirm the fix by attempting to compile a known malicious schema and verifying that it fails to generate executable code.
将 Apache Avro Java SDK 版本升级到 1.11.5 或更高版本,或 1.12.1 或更高版本。这将在从不可信的 Avro schema 生成特定记录时修复代码注入漏洞。从 Maven 仓库下载最新版本。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-33042 is a Code Injection vulnerability in Apache Avro Compiler affecting versions up to 1.12.0. It allows attackers to inject malicious code via crafted Avro schemas.
You are affected if you are using Apache Avro Compiler versions 1.12.0 or earlier. Check your dependencies and upgrade if necessary.
Upgrade to version 1.12.1 or 1.11.5. If immediate upgrade is not possible, implement schema validation to prevent processing malicious content.
As of the current date, there are no publicly known active exploits for CVE-2025-33042.
Refer to the Apache Avro project website and security mailing lists for the official advisory and updates: https://avro.apache.org/
上传你的 pom.xml 文件,立即知道是否受影响。