CVE-2025-33042
HIGH7.3EPSS 0.06%Apache Avro Java SDK is Vulnerable to Code Injection
Published: 2/13/2026Modified: 5/20/2026
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
Affected packages (2)
- Maven/org.apache.avro:avro-compiler>= 1.12.0, < 1.12.1
- PyPI/avrofrom 0, < 1.11.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-33042
- ADVISORYhttp://www.openwall.com/lists/oss-security/2026/02/12/2
- PATCHhttps://github.com/apache/avro
- REPORThttps://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
- WEBhttps://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4
- WEBhttps://github.com/apache/avro/pull/3150
- WEBhttps://issues.apache.org/jira/browse/AVRO-4053
- WEBhttps://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783