BleepingComputer reports that Amazon Web Services, Google, Microsoft Azure, Hadoop, and other big data platforms could be subjected to significant compromise through the exploitation of a maximum-severity remote code execution vulnerability impacting the widely used open-source columnar storage format Apache Parquet, tracked as CVE-2025-30065.
Attacks leveraging the flaw which was discovered by Amazon researcher Keyi Li to stem from untrusted data serialization could result in system takeovers, data theft or tampering, ransomware compromise, and service disruptions, according to an analysis from Endor Labs. "Despite the frightening potential, it's important to note that the vulnerability can only be exploited if a malicious Parquet file is imported," said Endor Labs, which urged organizations to immediately verify their Parquet software version as those earlier than 1.8.0 could also be affected by the issue. Meanwhile, organizations that cannot promptly apply the Praquet 1.15.1 update were advised to restrict or thoroughly vet untrusted Parquet files, as well as bolster logging and tracking of systems with Parquet.
