Moderate severityNVD Advisory· Published Feb 13, 2026· Updated Feb 13, 2026
Apache Avro Java SDK: Code injection on Java generated code
CVE-2025-33042
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.avro:avro-compilerMaven | >= 1.12.0, < 1.12.1 | 1.12.1 |
org.apache.avro:avro-compilerMaven | < 1.11.5 | 1.11.5 |
Affected products
62- osv-coords61 versionspkg:apk/chainguard/akhqpkg:apk/chainguard/apache-hoppkg:apk/chainguard/apache-hop-fipspkg:apk/chainguard/apache-pulsarpkg:apk/chainguard/celeborn-0.5pkg:apk/chainguard/celeborn-0.6pkg:apk/chainguard/druidpkg:apk/chainguard/kafbat-uipkg:apk/chainguard/kafbat-ui-fipspkg:apk/chainguard/logstash-8.17pkg:apk/chainguard/logstash-8.17-iamguarded-compatpkg:apk/chainguard/logstash-8.17-with-output-opensearchpkg:apk/chainguard/logstash-8.18pkg:apk/chainguard/logstash-8.18-iamguarded-compatpkg:apk/chainguard/logstash-8.18-with-output-opensearchpkg:apk/chainguard/logstash-8.19pkg:apk/chainguard/logstash-8.19-iamguarded-compatpkg:apk/chainguard/logstash-8.19-with-output-opensearchpkg:apk/chainguard/logstash-9.0pkg:apk/chainguard/logstash-9.0-iamguarded-compatpkg:apk/chainguard/logstash-9.0-with-output-opensearchpkg:apk/chainguard/logstash-9.1pkg:apk/chainguard/logstash-9.1-bitnami-compatpkg:apk/chainguard/logstash-9.1-iamguarded-compatpkg:apk/chainguard/logstash-9.1-with-output-opensearchpkg:apk/chainguard/logstash-9.2pkg:apk/chainguard/logstash-9.2-iamguarded-compatpkg:apk/chainguard/logstash-9.2-with-output-opensearchpkg:apk/chainguard/logstash-9.3pkg:apk/chainguard/logstash-9.3-iamguarded-compatpkg:apk/chainguard/logstash-9.3-with-output-opensearchpkg:apk/chainguard/pinotpkg:apk/chainguard/spark-3.5-scala-2.12pkg:apk/chainguard/spark-3.5-scala-2.13pkg:apk/chainguard/spark-4.0-scala-2.13pkg:apk/chainguard/spark-4.1-scala-2.13pkg:apk/chainguard/spark-fips-3.5-scala-2.12pkg:apk/chainguard/spark-fips-3.5-scala-2.13pkg:apk/chainguard/spark-fips-4.1-scala-2.13pkg:apk/chainguard/wavefront-proxypkg:apk/wolfi/akhqpkg:apk/wolfi/apache-pulsarpkg:apk/wolfi/celeborn-0.5pkg:apk/wolfi/celeborn-0.6pkg:apk/wolfi/druidpkg:apk/wolfi/logstash-9.1pkg:apk/wolfi/logstash-9.1-bitnami-compatpkg:apk/wolfi/logstash-9.1-iamguarded-compatpkg:apk/wolfi/logstash-9.1-with-output-opensearchpkg:apk/wolfi/logstash-9.2pkg:apk/wolfi/logstash-9.2-iamguarded-compatpkg:apk/wolfi/logstash-9.2-with-output-opensearchpkg:apk/wolfi/logstash-9.3pkg:apk/wolfi/logstash-9.3-iamguarded-compatpkg:apk/wolfi/logstash-9.3-with-output-opensearchpkg:apk/wolfi/spark-3.5-scala-2.12pkg:apk/wolfi/spark-3.5-scala-2.13pkg:apk/wolfi/spark-4.0-scala-2.13pkg:apk/wolfi/spark-4.1-scala-2.13pkg:apk/wolfi/wavefront-proxypkg:maven/org.apache.avro/avro-compiler
< 0.26.0-r8+ 60 more
- (no CPE)range: < 0.26.0-r8
- (no CPE)range: < 2.17.0-r0
- (no CPE)range: < 2.17.0-r0
- (no CPE)range: < 4.1.3-r0
- (no CPE)range: < 0.5.4-r17
- (no CPE)range: < 0.6.2-r7
- (no CPE)range: < 36.0.0-r1
- (no CPE)range: < 1.4.2-r3
- (no CPE)range: < 1.4.2-r2
- (no CPE)range: < 8.17.10-r11
- (no CPE)range: < 8.17.10-r11
- (no CPE)range: < 8.17.10-r11
- (no CPE)range: < 8.18.8-r10
- (no CPE)range: < 8.18.8-r10
- (no CPE)range: < 8.18.8-r10
- (no CPE)range: < 8.19.11-r0
- (no CPE)range: < 8.19.11-r0
- (no CPE)range: < 8.19.11-r0
- (no CPE)range: < 9.0.8-r10
- (no CPE)range: < 9.0.8-r10
- (no CPE)range: < 9.0.8-r10
- (no CPE)range: < 9.1.10-r0
- (no CPE)range: < 9.1.10-r0
- (no CPE)range: < 9.1.10-r0
- (no CPE)range: < 9.1.10-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 1.4.0-r1
- (no CPE)range: < 3.5.8-r2
- (no CPE)range: < 3.5.8-r2
- (no CPE)range: < 4.0.2-r0
- (no CPE)range: < 4.1.1-r4
- (no CPE)range: < 3.5.4-r21
- (no CPE)range: < 3.5.4-r21
- (no CPE)range: < 4.1.1-r1
- (no CPE)range: < 13.9-r4
- (no CPE)range: < 0.26.0-r8
- (no CPE)range: < 4.1.3-r0
- (no CPE)range: < 0.5.4-r17
- (no CPE)range: < 0.6.2-r7
- (no CPE)range: < 36.0.0-r1
- (no CPE)range: < 9.1.10-r0
- (no CPE)range: < 9.1.10-r0
- (no CPE)range: < 9.1.10-r0
- (no CPE)range: < 9.1.10-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 9.3.0-r0
- (no CPE)range: < 3.5.8-r2
- (no CPE)range: < 3.5.8-r2
- (no CPE)range: < 4.0.2-r0
- (no CPE)range: < 4.1.1-r4
- (no CPE)range: < 13.9-r4
- (no CPE)range: >= 1.12.0, < 1.12.1
- Range: 0
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-rp46-r563-jrc7ghsaADVISORY
- lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-33042ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/12/2ghsaWEB
- github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4ghsaWEB
- github.com/apache/avro/pull/3150ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2026-26.yamlghsaWEB
- issues.apache.org/jira/browse/AVRO-4053ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783ghsaWEB
News mentions
0No linked articles in our index yet.