Canary Exploit Tool Allows Users to Identify Servers Affected by Apache Parquet Flaw
F5 Labs has released a proof-of-concept (PoC) tool, dubbed "canary exploit," which enables users to identify servers vulnerable to the critical Apache Parquet vulnerability CVE-2025-30065. This tool is available on F5 Labs' GitHub repository and serves as a valuable resource for developers and security teams to quickly assess if their systems are affected by this flaw.
Apache Parquet's Java Library is a software library used for reading and writing Parquet files in the Java programming language. Parquet is a columnar storage file format optimized for large-scale data processing frameworks such as Apache Hadoop, Apache Spark, and Apache Drill. In April 2025, experts disclosed a critical vulnerability (tracked as CVE-2025-30065) impacting Apache Parquet's Java Library, which can allow remote code execution.
The vulnerability, tracked as CVE-2025-30065 (CVSS score of 10.0), is a Deserialization of Untrusted Data issue that affects systems importing Parquet files from untrusted sources. This flaw can be exploited by attackers tampering with the files. Versions 1.15.0 and earlier are vulnerable, impacting big-data frameworks and custom applications using Parquet.
According to Endor Labs, if an attacker tricks a vulnerable system into reading a specially crafted Parquet file, they could gain remote code execution on that system. This might allow them to access sensitive data or execute malicious code, compromising the confidentiality, integrity, and availability of the affected system.
Despite the frightening potential of this vulnerability, it's essential to note that it can only be exploited if a malicious Parquet file is imported. As of April 2025, there are no known active exploits for this vulnerability, but threat actors may attempt to exploit it now that the issue is public.
F5 Labs urges users to address the issue immediately by upgrading Apache Parquet Java to version 1.15.1 or later. To protect your systems from CVE-2025-30065, you can also avoid or validate Parquet files from untrusted sources and implement input validation. Enabling monitoring and logging will help detect suspicious behavior, and staying informed on updates from Apache or cybersecurity authorities is crucial.
Researchers have created the "canary exploit" tool to facilitate quick testing of the vulnerability and ensure that it has been fixed by applying patches and proper configuration. This tool allows for easy identification of vulnerable servers and helps reduce response time in complex environments with hidden dependencies.
"Various exploitation scenarios for this CVE are possible, but all require a malicious Parquet/Avro file to be placed into an environment which will use the Apache Parquet Avro module to parse it," concludes the report. "If you use Apache Parquet Java to parse Parquet files that include embedded Avro, then you should investigate patching." While this issue requires a specific set of circumstances, it's essential for developers and security teams to be aware of this vulnerability and take proactive measures to protect their systems.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest cybersecurity news and updates.
Key Takeaways:
* Apache Parquet's Java Library is vulnerable to the critical CVE-2025-30065 flaw. * The vulnerability can allow remote code execution if a malicious Parquet file is imported. * F5 Labs has released a PoC tool, dubbed "canary exploit," to help identify vulnerable servers. * Users should upgrade Apache Parquet Java to version 1.15.1 or later and implement input validation. * Monitoring and logging can help detect suspicious behavior, and staying informed on updates is crucial.
Stay Safe:
To protect your systems from this vulnerability, follow these best practices:
1. Upgrade Apache Parquet Java to version 1.15.1 or later. 2. Avoid or validate Parquet files from untrusted sources. 3. Implement input validation for all incoming data. 4. Enable monitoring and logging to detect suspicious behavior. 5. Stay informed on updates from Apache or cybersecurity authorities.
By taking these proactive measures, you can reduce the risks associated with this vulnerability and protect your systems from potential exploitation.