CVE-2025-33042
Awaiting Analysis
Awaiting Analysis - Queue
Code Injection in Apache Avro Java SDK Allows Malicious Code Execution
Publication date: 2026-02-13
Last updated on: 2026-02-20
Assigner: Apache Software Foundation
Description
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and versionΒ 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | avro | to 1.11.5 (exc) |
| apache | avro | 1.12.0 |
| apache | avro | 1.12.0 |
| apache | avro | 1.12.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
