{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-33042", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-04-15T15:57:08.995Z", "datePublished": "2026-02-13T11:47:03.783Z", "dateUpdated": "2026-02-13T18:05:35.038Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.avro:avro", "product": "Apache Avro Java SDK", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.11.4", "status": "affected", "version": "0", "versionType": "semver"}, {"status": "affected", "version": "1.12.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Brant Eckert"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.</p><p>This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version&nbsp;1.12.0.</p><p>Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.</p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\n\nThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and version\u00a01.12.0.\n\nUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-13T11:47:03.783Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"}], "source": {"defect": ["AVRO-4053"], "discovery": "UNKNOWN"}, "title": "Apache Avro Java SDK: Code injection on Java generated code", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/12/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-13T12:11:10.364Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T18:05:06.984761Z", "id": "CVE-2025-33042", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T18:05:35.038Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/12/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-13T12:11:10.364Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-33042", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-13T18:05:06.984761Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T18:04:55.307Z"}}], "cna": {"title": "Apache Avro Java SDK: Code injection on Java generated code", "source": {"defect": ["AVRO-4053"], "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Brant Eckert"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Avro Java SDK", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.11.4"}, {"status": "affected", "version": "1.12.0", "versionType": "semver"}], "packageName": "org.apache.avro:avro", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\n\nThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and version\u00a01.12.0.\n\nUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.</p><p>This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version&nbsp;1.12.0.</p><p>Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-02-13T11:47:03.783Z"}}}, "cveMetadata": {"cveId": "CVE-2025-33042", "state": "PUBLISHED", "dateUpdated": "2026-02-13T18:05:35.038Z", "dateReserved": "2025-04-15T15:57:08.995Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-02-13T11:47:03.783Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:avro:*:*:*:*:*:-:*:*", "matchCriteriaId": "91C753AB-7CED-4EAF-9151-FD0B9B1C0D2E", "versionEndExcluding": "1.11.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:avro:1.12.0:-:*:*:*:-:*:*", "matchCriteriaId": "66D75377-FB84-444C-A23A-C260EF1E2B31", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:avro:1.12.0:rc0:*:*:*:-:*:*", "matchCriteriaId": "75016805-D38F-43B5-B9AD-BD1CD12F8927", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:avro:1.12.0:rc1:*:*:*:-:*:*", "matchCriteriaId": "13BEFC9E-6476-43B9-9DDD-C5D9CC1ACDC6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\n\nThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and version\u00a01.12.0.\n\nUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue."}, {"lang": "es", "value": "Vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo ('Inyecci\u00f3n de c\u00f3digo') en el SDK de Java de Apache Avro al generar registros espec\u00edficos a partir de esquemas Avro no confiables.\n\nEste problema afecta al SDK de Java de Apache Avro: todas las versiones hasta la 1.11.4 y la versi\u00f3n 1.12.0.\n\nSe recomienda a los usuarios actualizar a la versi\u00f3n 1.12.1 o 1.11.5, que solucionan el problema."}], "id": "CVE-2025-33042", "lastModified": "2026-02-20T15:07:04.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-13T12:16:07.570", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory", "Issue Tracking"], "url": "https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/12/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.avro/avro: Apache Avro Java SDK: Code injection on Java generated code", "id": "2439675", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439675"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-94", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-33042", "package_state": [{"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "avro", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-02-13T11:47:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-33042\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-33042\nhttps://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4\nhttps://issues.apache.org/jira/browse/AVRO-4053\nhttps://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1\nhttps://www.openwall.com/lists/oss-security/2026/02/12/2"], "threat_severity": "Moderate"}

{"created": "2026-02-13T21:28:42.476802+00:00", "updated": "2026-02-13T21:28:42.476866+00:00", "vendors": ["apache", "apache$PRODUCT$avro"]}