{ "threat_severity" : "Moderate", "public_date" : "2026-02-13T11:47:03Z", "bugzilla" : { "description" : "org.apache.avro/avro: Apache Avro Java SDK: Code injection on Java generated code", "id" : "2439675", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2439675" }, "cvss3" : { "cvss3_base_score" : "5.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-94", "details" : [ "Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\nThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and versionĀ 1.12.0.\nUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.", "A code injection flaw has been discovered in Apache Avro. This vulnerability manifests when generating specific records from untrusted Avro schemas." ], "affected_release" : [ { "product_name" : "Red Hat build of Quarkus 3.20.6", "release_date" : "2026-04-14T00:00:00Z", "advisory" : "RHSA-2026:7109", "cpe" : "cpe:/a:redhat:quarkus:3.20::el8", "package" : "avro" }, { "product_name" : "Red Hat build of Quarkus 3.27.3", "release_date" : "2026-04-14T00:00:00Z", "advisory" : "RHSA-2026:7380", "cpe" : "cpe:/a:redhat:quarkus:3.27::el8", "package" : "avro" } ], "package_state" : [ { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Fix deferred", "package_name" : "avro", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-33042\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-33042\nhttps://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4\nhttps://issues.apache.org/jira/browse/AVRO-4053\nhttps://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1\nhttps://www.openwall.com/lists/oss-security/2026/02/12/2" ], "name" : "CVE-2025-33042", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }