GHSA-rp46-r563-jrc7Medium
Apache Avro Java SDK is Vulnerable to Code Injection
🔗 CVE IDs covered (1)
📋 Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
🎯 Affected products2
- maven/org.apache.avro:avro-compiler:= 1.12.0
- maven/org.apache.avro:avro-compiler:< 1.11.5
🔗 References (9)
- https://nvd.nist.gov/vuln/detail/CVE-2025-33042
- https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
- http://www.openwall.com/lists/oss-security/2026/02/12/2
- https://github.com/apache/avro/pull/3150
- https://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4
- https://issues.apache.org/jira/browse/AVRO-4053
- https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783
- https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2026-26.yaml
- https://github.com/advisories/GHSA-rp46-r563-jrc7