Apache Avro Java SDK can be Tricked into Running Malicious Code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

Apache Avro Java SDK can be Tricked into Running Malicious Code

CVE-2025-33042 GHSA-rp46-r563-jrc7

Summary

An attacker can manipulate Avro schemas to inject malicious code into your system. This affects all versions of Apache Avro Java SDK up to 1.11.4 and version 1.12.0. To fix this, update to version 1.12.1 or 1.11.5.

What to do

Update apache org.apache.avro:avro-compiler to version 1.12.1.
Update apache org.apache.avro:avro-compiler to version 1.11.5.

Affected software

Vendor	Product	Affected versions	Fix available
apache	org.apache.avro:avro-compiler	1.12.0	1.12.1
apache	org.apache.avro:avro-compiler	<= 1.11.5	1.11.5
apache	avro	<= 1.11.5	–
apache	avro	1.12.0	–
apache	avro	1.12.0	–
apache	avro	1.12.0	–

Original title

Apache Avro Java SDK is Vulnerable to Code Injection

Original description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

nvd CVSS3.1 7.3

Vulnerability type

CWE-94 Code Injection

https://nvd.nist.gov/vuln/detail/CVE-2025-33042
https://github.com/apache/avro/pull/3150
https://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4
https://issues.apache.org/jira/browse/AVRO-4053
https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783
https://github.com/advisories/GHSA-rp46-r563-jrc7
https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1 Mailing List Vendor Advisory Issue Tracking
http://www.openwall.com/lists/oss-security/2026/02/12/2 Mailing List Third Party Advisory

Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026