A critical severity remote code execution (RCE) vulnerability CVE-2025-30065 has been discovered impacting all versions of Apache Parquet using the Avro schema up to and including 1.15.0. Pega is making hotfixes and patches available for the affected patch releases. We strongly advise clients to apply the hotfixes Pega has made available.
- This vulnerability can affect Pega clients running on releases 23.1.0 through to 24.2.1 of Pega Infinity. We are not aware of any of our clients being compromised as a result of this vulnerability.
To prevent malicious actors from exploiting this vulnerability, Pega has created the following remediations which replace the potentially vulnerable Apache Parquet module with a corrected version where Apache Parquet has made one available. Hotfixes are available for the affected patch releases from 23.1.0 to 24.2.1.
|
Advisory |
Description |
Impact |
Remediation |
|
Apache Parquet Vulnerability |
Remote Code Execution (RCE) |
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
|
23.1.0 to 24.2.1 hotfix(es) 23.1.5 Patch Release 24.1.4 Patch Release 24.2.2 Patch Release 25.1.0 Release |
The remediation for this issue will be included as part of the product in the patch releases of the Pega Platform listed above.
If you are a Pega Cloud® client, your Pega Cloud environments running the relevant Pega releases listed in the table below, are being proactively remediated by Pega. Cloud Maintenance (CM) cases are being created for each of your environments and will provide the schedule of when the hotfixes will be applied. If you are not on a release with a solution provided, you need to upgrade as soon as possible.
If you are a United States Pega Cloud for Government (PCFG) client, Cloud Change (CC) cases are being created for the relevant hotfix, which will be applied by Pega. If you are not on a release with a solution provided, you need to upgrade as soon as possible.
If you are an on–premises or client managed cloud client, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, you can download your hotfix directly from My Security Hotfixes on My Pega.
As always, we recommend our clients review our Security Checklist regularly.
Hotfixes
Hotfixes are being created for the affected patch releases in standard support (23.1.0 to 24.2.1). The latest patch release hotfixes are available now. The rest are targeted for 4/25.
As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.
|
Version |
Hotfix |
|
23.1.0 |
HFIX-C1131 |
|
23.1.1 |
HFIX-C1132 |
|
23.1.2 |
HFIX-C1133 |
|
23.1.3 |
HFIX-C1134 |
|
23.1.4 |
HFIX-C1267** |
|
24.1.0 |
HFIX-C1136 |
|
24.1.1 |
HFIX-C1138 |
|
24.1.2 |
HFIX-C1139 |
|
24.1.3 |
HFIX-C1140 |
|
24.2.0 |
HFIX-C1141 |
|
24.2.1 |
HFIX-C1142 |
** - For clients that are on 23.1.4, who previously installed HFIX-C1135, it was determined that this hotfix was missing an update. Please install HFIX-C1267 to get the complete fix. There is no need to uninstall HFIX-C1135.
A restart is needed after installing the hotfix.
Dates for upcoming patch releases can be found on the Pega Infinity Patch Calendar.
CVE Details
|
CVE Details |
Issue: RCE with Apache Parquet |
|
Software/Product |
Apache Parquet |
|
Pega Infinity Affected Release(s) |
From 23.1.0 to 24.2.1 |
|
CVE ID |
CVE-2025-30065 |
|
CVSS Rating |
Critical – 10.0 |
|
Description |
Remote Code Execution (RCE) |
If you have any questions or concerns, please raise a Support ticket with Global Client Support in My Support Portal for assistance