Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

CVE-2025-33042 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2025-33042

CVE-2025-33042

HIGH7.3

Apache Avro Java SDK: Code injection on Java generated code

Published Feb 13, 2026

Modified 1 months ago

Details

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

References

http://www.openwall.com/lists/oss-security/2026/02/12/2

https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1

https://www.cve.org/CVERecord?id=CVE-2025-33042

CVSS Analysis

CVSS v3.1

7.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

LowA:L

7.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Weakness Type (CWE)

Injection

Ecosystems

Timeline

PublishedFeb 13, 2026

ModifiedFeb 13, 2026