2439675 – (CVE-2025-33042) CVE-2025-33042 org.apache.avro/avro: Apache Avro Java SDK: Code injection on Java generated code

Bug 2439675 (CVE-2025-33042) - CVE-2025-33042 org.apache.avro/avro: Apache Avro Java SDK: Code injection on Java generated code

Summary: CVE-2025-33042 org.apache.avro/avro: Apache Avro Java SDK: Code injection on ...

Keywords:
Status:	NEW
Alias:	CVE-2025-33042
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2439735 2439736 2439737 2439738
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-13 12:01 UTC by OSIDB Bzimport
Modified:	2026-02-18 08:29 UTC (History)
CC List:	66 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-13 12:01:07 UTC

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

Note You need to log in before you can comment on or make changes to this bug.

anstephe
aschwart
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
brian.stansberry
ccranfor
chfoley
clement.escoffier
dandread
darran.lofthouse
dfreiber
dkreling
dosoudil
drow
eric.wittmann
fmariani
fmongiar
gmalinko
gsmet
istudens
ivassile
iweiss
janstey
jburrell
jmartisk
jnethert
jpechane
jscholz
lthon
manderse
mosmerov
mposolda
msvehla
nipatil
nwallace
olubyans
pantinor
pberan
pdelbell
pesilva
pgallagh
pjindal
pmackay
probinso
rguimara
rkubis
rmartinc
rruss
rstancel
rstepani
rsvoboda
sbiarozk
smaestri
ssilvert
sthorger
swoodman
tcunning
tom.jenkinson
tqvarnst
vkumar
vmuzikar
yfang