CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code

Ryan Skraba Thu, 12 Feb 2026 10:03:52 -0800

Severity: moderate 

Affected versions:


- Apache Avro Java SDK (org.apache.avro:avro) through 1.11.4
- Apache Avro Java SDK (org.apache.avro:avro) 1.12.0

Description:

Improper Control of Generation of Code ('Code Injection') vulnerability in 
Apache Avro Java SDK when generating specific records from untrusted Avro 
schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and 
version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the 
issue.

This issue is being tracked as AVRO-4053 

Credit:

Brant Eckert (finder)

References:

https://avro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-33042
https://issues.apache.org/jira/browse/AVRO-4053

CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code

Reply via email to