{"id":"CVE-2025-33042","details":"Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\n\nThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and versionĀ 1.12.0.\n\nUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.","aliases":["GHSA-rp46-r563-jrc7"],"modified":"2026-02-22T01:45:10.995939Z","published":"2026-02-13T12:16:07.570Z","related":["CGA-93cw-42v9-q34h"],"references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/02/12/2"},{"type":"REPORT","url":"https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"},{"type":"ARTICLE","url":"https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2026/02/12/2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/avro","events":[{"introduced":"0"},{"fixed":"257db287e4cf3f3831013780e709226d4aa188d9"}]}],"versions":["release-1.11.0","release-1.11.0-rc1","release-1.11.0-rc2","release-1.11.1","release-1.11.1-rc1","release-1.11.2","release-1.11.2-rc1","release-1.11.3","release-1.11.3-rc1","release-1.11.4","release-1.11.5-RC0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"id":"CVE-2025-33042-083a1499","target":{"file":"lang/java/compiler/src/test/java/org/apache/avro/compiler/specific/TestSpecificCompiler.java"},"signature_type":"Line","digest":{"line_hashes":["291309800966843137947536545290032695159","221037608479349514828638049023753841869","315349996930919669934619115542338635801","297219962978289013949108349949537781373","272910421913207300507468130701630172916","170200307531041902844093467846247043852","257696663555733373567494095768409786221","190924354717666708339553501730895217287","224589439695360237174914848439162696008"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9"},{"deprecated":false,"id":"CVE-2025-33042-34c672b6","target":{"file":"lang/java/compiler/src/main/java/org/apache/avro/compiler/specific/SpecificCompiler.java","function":"javaAnnotations"},"signature_type":"Function","digest":{"length":466,"function_hash":"32788602440209861843884792714707363535"},"signature_version":"v1","source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9"},{"deprecated":false,"id":"CVE-2025-33042-9fc3eb30","target":{"file":"lang/java/compiler/src/main/java/org/apache/avro/compiler/specific/SpecificCompiler.java"},"signature_type":"Line","digest":{"line_hashes":["70771956055940442514103611574301114154","238903126193692026002511292991439891563","300906517244693446487937585945550490448","208827671120222188732267556602830336861","46262050765424080087731599745530234117","217116392064333751629977133211242667556","330199537522653320165707225666721878474","261400939099411121099566912930451212963","258504385302819325578918495081448122546","134725490339041595859278718042141308773","256881393042175191513787229119012532126","59618892000578408467121870609369899489","81974687732621857746509896468957032518","66398935291910999419497150480459600670","188714196139622641091367112218836400048","8682127004718845371017478450226688684","70374232380200534640351897473476193966","286133326394466185488886464481448443932","185531377118408463826116287966828968498","36989222978632851688226362820435483920","297969883165229994553685187753389185344","97752416601766057788212817459040229965","130648611176324906569536615708418682764","308067925127412434029531244835481049146","48450229955444445478261254704838572703","182922208540893286752063490037158396617","221583899330277162497754445847262678530","269191592085265711876533001616218781197","143193421323882948310740841132108965602","118098057086160394453256441589526704912","135885473812845987448263785048101326937","48842657684933011318605222139496299666","96374062915015664357954062759603122110","175991049823875534407563527860232381197"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9"},{"deprecated":false,"id":"CVE-2025-33042-a70e8b1e","target":{"file":"lang/java/ipc/src/test/java/org/apache/avro/compiler/specific/TestSpecificCompiler.java"},"signature_type":"Line","digest":{"line_hashes":["119733935718277627224716802179174359496","36013791008060821061663577733737481918","229007013215136918271743442596489128921","139173181423621862363735826218444014392"],"threshold":0.9},"signature_version":"v1","source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9"},{"deprecated":false,"id":"CVE-2025-33042-a8dc4b74","target":{"file":"lang/java/compiler/src/main/java/org/apache/avro/compiler/specific/SpecificCompiler.java","function":"escapeForJavadoc"},"signature_type":"Function","digest":{"length":80,"function_hash":"270343127961230285353372754179074138435"},"signature_version":"v1","source":"https://github.com/apache/avro/commit/257db287e4cf3f3831013780e709226d4aa188d9"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-33042.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}