CVE-2025-33042: org.apache.avro:avro:jar:1.12.0:compile

## Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and versionÂ 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

CVE: CVE-2025-33042
CWE: CWE-94

## References
- https://ossindex.sonatype.org/vulnerability/CVE-2025-33042?component-type=maven&component-name=org.apache.avro%2Favro&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-33042
- https://github.com/CVEProject/cvelistV5/blob/main/cves/2025/33xxx/CVE-2025-33042.json
- https://github.com/advisories/GHSA-rp46-r563-jrc7
- https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.avro/avro/CVE-2025-33042.yml
- https://nvd.nist.gov/vuln/detail/CVE-2025-33042
- https://osv-vulnerabilities.storage.googleapis.com/Maven/GHSA-rp46-r563-jrc7.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2025-33042: org.apache.avro:avro:jar:1.12.0:compile #369

Summary

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2025-33042: org.apache.avro:avro:jar:1.12.0:compile #369

Description

Summary

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions