CVE-2025-33042: Apache Avro Java SDK is Vulnerable to Code Injection
(updated )
Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
References
- github.com/advisories/GHSA-rp46-r563-jrc7
- github.com/apache/avro
- github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4
- github.com/apache/avro/pull/3150
- issues.apache.org/jira/browse/AVRO-4053
- lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
- nvd.nist.gov/vuln/detail/CVE-2025-33042
- security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783
Code Behaviors & Features
Detect and mitigate CVE-2025-33042 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →