Skip to content

[Bug]: Security vulnerability in parquet serialization and deserialization #34543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
5 of 17 tasks
iamadhee opened this issue Apr 4, 2025 · 3 comments
Closed
5 of 17 tasks

[Bug]: Security vulnerability in parquet serialization and deserialization #34543

iamadhee opened this issue Apr 4, 2025 · 3 comments
Labels
awaiting triage bug dataflow go java P0 python typescript
Milestone
2.65.0 Release

Comments

@iamadhee
Copy link

iamadhee commented Apr 4, 2025

What happened?

Recently a maximum severity vulnerability has been found in the apache parquet module of versions 1.15.0 and below. The vulnerability has been listed already in NVD. Attaching the link below:
https://nvd.nist.gov/vuln/detail/CVE-2025-30065#VulnChangeHistorySection

Issue Priority

Priority: 0 (outage / urgent vulnerability)

Issue Components

  • Component: Python SDK
  • Component: Java SDK
  • Component: Go SDK
  • Component: Typescript SDK
  • Component: IO connector
  • Component: Beam YAML
  • Component: Beam examples
  • Component: Beam playground
  • Component: Beam katas
  • Component: Website
  • Component: Infrastructure
  • Component: Spark Runner
  • Component: Flink Runner
  • Component: Samza Runner
  • Component: Twister2 Runner
  • Component: Hazelcast Jet Runner
  • Component: Google Cloud Dataflow Runner
@iamadhee
Copy link
Author

iamadhee commented Apr 4, 2025

I use Java SDK version 2.63.0. My parquets are getting written with the below versioning:

  created_by: parquet-mr version 1.13.1 (build db4183109d5b734ec5930d870cdae161e408ddba)
  num_columns: 10
  num_rows: 2
  num_row_groups: 1
  format_version: 1.0
  serialized_size: 3189

@ahmedabu98
Copy link
Contributor

Thanks for opening this @iamadhee, we updated our parquet versions to 1.15.1 in #34573

@github-actions github-actions bot added this to the 2.65.0 Release milestone Apr 22, 2025
@ahmedabu98
Copy link
Contributor

Should be available in the next Beam release 2.65.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting triage bug dataflow go java P0 python typescript
Projects
None yet
Milestone
2.65.0 Release
Development

No branches or pull requests
2 participants
@ahmedabu98 @iamadhee