oss-security - CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code

Follow @Openwall on Twitter for new release announcements and other news

Message-ID: <d9267ca2-7cbe-7a62-3fea-4bac86a7a5f4@apache.org>
Date: Thu, 12 Feb 2026 18:03:27 +0000
From: Ryan Skraba <rskraba@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-33042: Apache Avro Java SDK: Code injection on Java
 generated code 

Severity: moderate 

Affected versions:

- Apache Avro Java SDK (org.apache.avro:avro) through 1.11.4
- Apache Avro Java SDK (org.apache.avro:avro) 1.12.0

Description:

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

This issue is being tracked as AVRO-4053 

Credit:

Brant Eckert (finder)

References:

https://avro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-33042
https://issues.apache.org/jira/browse/AVRO-4053

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.