oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code

From: Ryan Skraba <rskraba () apache org>
Date: Thu, 12 Feb 2026 18:03:27 +0000
Severity: moderate 

Affected versions:

- Apache Avro Java SDK (org.apache.avro:avro) through 1.11.4
- Apache Avro Java SDK (org.apache.avro:avro) 1.12.0

Description:

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating 
specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and versionĀ 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

This issue is being tracked as AVRO-4053 

Credit:

Brant Eckert (finder)

References:

https://avro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-33042
https://issues.apache.org/jira/browse/AVRO-4053
Previous By Date Next
Previous By Thread Next

Current thread: