The parquet-avro module of Apache Parquet 1.15.0 and previous versions allows to execute arbitrary code and has been therefore classified as a critical vulnerability with the highest CVSS score. The parquet library is contained in the latest version of GATK and should be updated to version 1.15.1.

Resources

• https://nvd.nist.gov/vuln/detail/CVE-2025-30065
• GH-3168: Restrict trusted packages in the parquet-avro module apache/parquet-java#3169
• [SPARK-51549][BUILD] Bump Parquet 1.15.1 apache/spark#50319