CVE-2025-33042: Apache Avro Java SDK is Vulnerable to Code Injection

February 13, 2026

Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

References

github.com/advisories/GHSA-rp46-r563-jrc7
github.com/apache/avro
github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4
github.com/apache/avro/pull/3150
issues.apache.org/jira/browse/AVRO-4053
lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
nvd.nist.gov/vuln/detail/CVE-2025-33042

Code Behaviors & Features

Detect and mitigate CVE-2025-33042 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →