CVE-2025-46762 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting the Apache Parquet Java library, specifically its parquet-avro module versions 1.15.0 and earlier. The issue arises during schema parsing when deserializing Parquet files using the 'specific' or 'reflect' data models. Attackers can leverage this flaw to execute arbitrary code by supplying malicious serialized classes that are allowed by the default trusted package settings. Although Apache Parquet 1.15.1 introduced a fix to restrict untrusted packages, the default configuration still permits certain packages, enabling potential exploitation. The 'generic' model is not affected, limiting the attack surface to applications explicitly using the vulnerable models. The vulnerability requires the client application to process untrusted Parquet files and to use the vulnerable deserialization models. Mitigation is available by upgrading to Apache Parquet 1.15.2, which fully addresses the issue, or by setting the system property 'org.apache.parquet.avro.SERIALIZABLE_PACKAGES' to an empty string in version 1.15.1, effectively disabling deserialization of all packages except those explicitly allowed. The CVSS 4.0 score of 7.1 reflects a high severity due to network attack vector, low attack complexity, partial user interaction, and the need for high privileges. No known exploits have been reported in the wild as of the publication date.

This vulnerability can have significant impacts on organizations that use Apache Parquet Java for processing Parquet files, particularly those employing the 'specific' or 'reflect' Avro data models. Successful exploitation allows attackers to execute arbitrary code within the context of the vulnerable application, potentially leading to full system compromise, data theft, or disruption of services. Given Apache Parquet's widespread use in big data analytics, cloud services, and data processing pipelines, exploitation could compromise sensitive data and critical infrastructure. The requirement for high privileges and user interaction somewhat limits the ease of exploitation but does not eliminate risk, especially in complex environments where trusted users or automated processes handle untrusted Parquet files. Organizations relying on affected versions without mitigation are at risk of targeted attacks, especially in sectors handling large-scale data analytics such as finance, healthcare, and technology. The absence of known exploits in the wild suggests limited active exploitation currently, but the vulnerability's nature warrants prompt remediation to prevent future attacks.

Organizations should immediately assess their use of Apache Parquet Java, specifically checking if versions 1.15.0 or earlier are in use and whether the 'specific' or 'reflect' Avro models are employed. The primary mitigation is to upgrade to Apache Parquet version 1.15.2, which fully resolves the vulnerability. If upgrading is not immediately feasible, setting the system property 'org.apache.parquet.avro.SERIALIZABLE_PACKAGES' to an empty string in version 1.15.1 will restrict deserialization to safe packages and mitigate the risk. Additionally, organizations should audit their data ingestion pipelines to ensure that Parquet files are sourced from trusted origins and implement strict input validation and sandboxing where possible. Monitoring for unusual application behavior or unexpected code execution in systems processing Parquet files is recommended. Finally, educating developers and system administrators about the risks of deserializing untrusted data and enforcing the use of the 'generic' model where applicable can reduce exposure.