wock9000 opened a new issue, #9999: URL: https://github.com/apache/arrow-rs/issues/9999
The `parquet` crate depends on `thrift ^0.17`, which is affected by CVE-2026-43868 (Memory Allocation with Excessive Size Value, CVSS 5.3). The advisory indicates a fix in thrift 0.23.0, but that version was never published to crates.io — the latest available is 0.17.0 (November 2022). I understand that arrow-rs has been progressively replacing thrift internals: - v57 shipped the custom Thrift compact protocol parser for metadata **reading** (#4891, #4892), which is a significant improvement. - The `parquet::format` module was deprecated in v57. The `thrift` crate remains a hard dependency for metadata **writing**. Dependabot and `cargo audit` flag this CVE for any project depending on `parquet`, with no resolution path available via version bumps. **Question:** Is there a planned timeline for completing the thrift removal from the write path? Understanding the roadmap would help downstream consumers assess their exposure. For reference, I've also opened an issue on [apache/thrift](https://github.com/apache/thrift) requesting publication of the 0.23.0 Rust bindings to crates.io, which would independently resolve the CVE for all current consumers. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
