←back to thread

Max severity RCE flaw discovered in widely used Apache Parquet

(www.bleepingcomputer.com)
174 points andy99 | 2 comments | 06 Apr 25 17:21 UTC | HN request time: 0s | source
Show context
g-mork ◴[06 Apr 25 18:25 UTC] No.43603642[source]
When did vulnerability reports get so vague? Looks like a classic serialization bug

https://github.com/apache/parquet-java/compare/apache-parque...

replies(3): >>43603809 #>>43604045 #>>43604276 #
hypeatei ◴[06 Apr 25 19:39 UTC] No.43604276[source]
Tangential, but there was a recent sandbox escape vulnerability in both Chrome and Firefox.

The bug threads are still private, almost two weeks since it was disclosed and fixed. Very strange.

https://bugzilla.mozilla.org/show_bug.cgi?id=1956398

https://issues.chromium.org/issues/405143032

https://www.cve.org/CVERecord?id=CVE-2025-2783

replies(2): >>43604716 #>>43604761 #
1. hovav ◴[06 Apr 25 20:30 UTC] No.43604716[source]
Standard operating procedure for both the Chrome [https://chromium.googlesource.com/chromium/src/+/HEAD/docs/s...] and Firefox [https://www.mozilla.org/en-US/about/governance/policies/secu...] bug tracking systems.

But the fix itself is public in both the Chrome [https://chromium.googlesource.com/chromium/src.git/+/36dbbf3...] and Firefox [https://github.com/mozilla/gecko-dev/commit/ac605820636c3b96...] source repos, and it makes pretty clear what the bug is.

replies(1): >>43604798 #
2. benatkin ◴[06 Apr 25 20:41 UTC] No.43604798[source]
Looks like this one only applied to windows. Here’s a link to the diff: https://chromium.googlesource.com/chromium/src.git/+/36dbbf3...