Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro

DEWright_CA

@RandallWilliams ; the Trust Site is showing this CVE as "Esri Assessment & Response:
Component not present" ; but Tenable is scanning the jar files in the Pro installation folder and returning this:

Plugin Output:

Path : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-column-1.13.1.jar

Installed version : 1.13.1

Fixed version : 1.15.1

Path : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-common-1.13.1.jar

Installed version : 1.13.1

Fixed version : 1.15.1

Path : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-encoding-1.13.1.jar

Installed version : 1.13.1

Fixed version : 1.15.1

Path : C:\Program Files\ArcGIS\Pro\java\runtime\spark\jars\parquet-hadoop-1.13.1.jar

Installed version : 1.13.1

Fixed version : 1.15.1

MarcoBoeringa

The CVE seems to concern only one specific library regarding Avro format, which doesn't seem present in the Pro install (see my listing below which slightly differs from yours but does not show a file name with 'avro'). These found modules are different ones, and as far as I can tell not involved in the CVE. I guess the affected module is called simply 'parquet-avro-<VERSION>.jar', but I didn't see the actual full filename listed in the CVE.

RandallWilliams

@MarcoBoeringa is correct and Tenable is providing a false positive. We do not provide the parquet-avro module. Tenable chooses to err on the side of false positives over false negatives.

"Esri Assessment & Response:
Component not present"

Is the correct response.

DEWright_CA

Thank you for the additional detail; I have forwarded this thread to my security team.