Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN161
_____________________________________________________________________

DATE                : 13/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Avro Java SDK versions
                               prior to 1.12.1, 1.11.5.

=====================================================================
https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1
_____________________________________________________________________

CVE-2025-33042: Apache Avro Java SDK: Code injection on Java
generated code

Severity: moderate

Affected versions:

- Apache Avro Java SDK (org.apache.avro:avro) through 1.11.4
- Apache Avro Java SDK (org.apache.avro:avro) 1.12.0

Description:

Improper Control of Generation of Code ('Code Injection') vulnerability
in Apache Avro Java SDK when generating specific records from untrusted
Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4
and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which
fix the issue.

This issue is being tracked as AVRO-4053

Credit:

Brant Eckert (finder)

References:

https://avro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-33042
https://issues.apache.org/jira/browse/AVRO-4053


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================