CVE-2025-33042
- Source
- https://cve.org/CVERecord?id=CVE-2025-33042
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-33042.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-33042
- Aliases
- Downstream
- Related
- Published
- 2026-02-13T12:16:07.570Z
- Modified
- 2026-02-22T01:53:37.569404Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
- References
-
- https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
- http://www.openwall.com/lists/oss-security/2026/02/12/2
- https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
- https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
- http://www.openwall.com/lists/oss-security/2026/02/12/2
Affected packages
Git / github.com/apache/avro
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/avro
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
release-1.*
release-1.11.0
release-1.11.0-rc1
release-1.11.0-rc2
release-1.11.1
release-1.11.1-rc1
release-1.11.2
release-1.11.2-rc1
release-1.11.3
release-1.11.3-rc1
release-1.11.4
release-1.11.5-RC0
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"291309800966843137947536545290032695159",
"221037608479349514828638049023753841869",
"315349996930919669934619115542338635801",
"297219962978289013949108349949537781373",
"272910421913207300507468130701630172916",
"170200307531041902844093467846247043852",
"257696663555733373567494095768409786221",
"190924354717666708339553501730895217287",
"224589439695360237174914848439162696008"
]
},
"source": "https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9",
"deprecated": false,
"id": "CVE-2025-33042-083a1499",
"signature_type": "Line",
"target": {
"file": "lang/java/compiler/src/test/java/org/apache/avro/compiler/specific/TestSpecificCompiler.java"
},
"signature_version": "v1"
},
{
"digest": {
"length": 466.0,
"function_hash": "32788602440209861843884792714707363535"
},
"source": "https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9",
"deprecated": false,
"id": "CVE-2025-33042-34c672b6",
"signature_type": "Function",
"target": {
"function": "javaAnnotations",
"file": "lang/java/compiler/src/main/java/org/apache/avro/compiler/specific/SpecificCompiler.java"
},
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"70771956055940442514103611574301114154",
"238903126193692026002511292991439891563",
"300906517244693446487937585945550490448",
"208827671120222188732267556602830336861",
"46262050765424080087731599745530234117",
"217116392064333751629977133211242667556",
"330199537522653320165707225666721878474",
"261400939099411121099566912930451212963",
"258504385302819325578918495081448122546",
"134725490339041595859278718042141308773",
"256881393042175191513787229119012532126",
"59618892000578408467121870609369899489",
"81974687732621857746509896468957032518",
"66398935291910999419497150480459600670",
"188714196139622641091367112218836400048",
"8682127004718845371017478450226688684",
"70374232380200534640351897473476193966",
"286133326394466185488886464481448443932",
"185531377118408463826116287966828968498",
"36989222978632851688226362820435483920",
"297969883165229994553685187753389185344",
"97752416601766057788212817459040229965",
"130648611176324906569536615708418682764",
"308067925127412434029531244835481049146",
"48450229955444445478261254704838572703",
"182922208540893286752063490037158396617",
"221583899330277162497754445847262678530",
"269191592085265711876533001616218781197",
"143193421323882948310740841132108965602",
"118098057086160394453256441589526704912",
"135885473812845987448263785048101326937",
"48842657684933011318605222139496299666",
"96374062915015664357954062759603122110",
"175991049823875534407563527860232381197"
]
},
"source": "https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9",
"deprecated": false,
"id": "CVE-2025-33042-9fc3eb30",
"signature_type": "Line",
"target": {
"file": "lang/java/compiler/src/main/java/org/apache/avro/compiler/specific/SpecificCompiler.java"
},
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"119733935718277627224716802179174359496",
"36013791008060821061663577733737481918",
"229007013215136918271743442596489128921",
"139173181423621862363735826218444014392"
]
},
"source": "https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9",
"deprecated": false,
"id": "CVE-2025-33042-a70e8b1e",
"signature_type": "Line",
"target": {
"file": "lang/java/ipc/src/test/java/org/apache/avro/compiler/specific/TestSpecificCompiler.java"
},
"signature_version": "v1"
},
{
"digest": {
"length": 80.0,
"function_hash": "270343127961230285353372754179074138435"
},
"source": "https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9",
"deprecated": false,
"id": "CVE-2025-33042-a8dc4b74",
"signature_type": "Function",
"target": {
"function": "escapeForJavadoc",
"file": "lang/java/compiler/src/main/java/org/apache/avro/compiler/specific/SpecificCompiler.java"
},
"signature_version": "v1"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-33042.json"