CVE-2025-33042
Code Injection in Apache Avro Java SDK Allows Malicious Code Execution
Publication date: 2026-02-13
Last updated on: 2026-02-20
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | avro | to 1.11.5 (exc) |
| apache | avro | 1.12.0 |
| apache | avro | 1.12.0 |
| apache | avro | 1.12.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Control of Generation of Code, also known as a 'Code Injection' vulnerability, found in the Apache Avro Java SDK. It occurs when generating specific records from untrusted Avro schemas, which can lead to unsafe code execution.
How can this vulnerability impact me? :
The vulnerability can allow attackers to inject malicious code through untrusted Avro schemas, potentially leading to unauthorized code execution within applications using the affected Apache Avro Java SDK versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade the Apache Avro Java SDK to version 1.12.1 or 1.11.5, which contain fixes for the issue.