CVE-2025-46762 is a high-severity vulnerability in the Apache Parquet Java library, specifically within the parquet-avro module versions up to 1.15.0. The vulnerability arises from unsafe schema parsing that allows external control of file names or paths (CWE-73), enabling attackers to execute arbitrary code. The root cause is the deserialization of untrusted classes when using the "specific" or "reflect" data models for reading Parquet files. Although version 1.15.1 introduced a fix to restrict untrusted packages, the default configuration still permits execution of malicious classes from trusted packages, leaving a residual attack surface. The "generic" model is not affected. Exploitation requires the client application to use the vulnerable data models and to process crafted Parquet files containing malicious payloads. The vulnerability can be mitigated by upgrading to version 1.15.2, which fully addresses the issue, or by setting the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string in version 1.15.1 to disable deserialization of potentially harmful classes. The CVSS 4.0 score of 7.1 reflects a high severity with network attack vector, low attack complexity, partial authentication required, and user interaction needed. The vulnerability impacts confidentiality, integrity, and availability due to potential arbitrary code execution within the context of the affected application.

For European organizations, this vulnerability poses a significant risk, especially those relying on Apache Parquet Java for big data processing, analytics, or data warehousing solutions. Exploitation could lead to unauthorized code execution, enabling attackers to compromise sensitive data, disrupt data processing pipelines, or pivot within internal networks. Given the widespread adoption of Apache Parquet in data-intensive industries such as finance, telecommunications, healthcare, and government sectors across Europe, the impact could be substantial. Attackers could leverage this vulnerability to exfiltrate confidential information, manipulate data integrity, or cause denial of service by crashing critical data services. The requirement for user interaction and partial authentication reduces the risk somewhat but does not eliminate it, particularly in environments where trusted users handle Parquet files from external sources. The vulnerability's presence in widely used open-source software increases the likelihood of targeted attacks or supply chain compromises affecting European enterprises.

European organizations should prioritize upgrading Apache Parquet Java to version 1.15.2 immediately to fully remediate the vulnerability. For environments where immediate upgrade is not feasible, setting the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on version 1.15.1 is a critical interim mitigation to prevent deserialization of untrusted classes. Additionally, organizations should implement strict validation and sanitization of all Parquet files ingested from external or untrusted sources. Employing network segmentation and least privilege principles can limit the impact of potential exploitation. Monitoring and logging deserialization activities and anomalous behaviors within data processing systems can help detect exploitation attempts early. Security teams should also review and update incident response plans to address potential exploitation scenarios involving big data processing components. Finally, educating developers and data engineers about safe usage patterns of the parquet-avro module, specifically avoiding the "specific" and "reflect" models with untrusted data, will reduce exposure.