fix: Upgrade Apache Avro to 1.12.1 to address CVE-2025-33042

johngrimes · johngrimes · commit eec00797ddd6 · 2026-02-15T15:18:12.000+10:00
Overrides Spark's transitive Avro dependency (1.12.0) with the patched
version to fix a code injection vulnerability in the Apache Avro Java SDK.

The vulnerability allows code injection when processing untrusted Avro
schemas. While Pathling does not accept user-provided schemas, upgrading
eliminates the vulnerability and unblocks the CI security scan.

Added CVE to .trivyignore since Avro is not bundled in library-runtime
(provided at runtime) and server explicitly overrides to fixed version.
diff --git a/.trivyignore b/.trivyignore
@@ -33,6 +33,10 @@ CVE-2025-48924
 # Log4j is provided via Spark, not bundled in distribution.
 CVE-2025-68161
 
+# Avro is provided via Spark, not bundled in library-runtime distribution.
+# Server overrides to patched version 1.12.1 in server/pom.xml.
+CVE-2025-33042
+
 # Nimbus JOSE JWT is provided via Spring Security OAuth2, not directly controlled.
 CVE-2025-53864
 
diff --git a/server/pom.xml b/server/pom.xml
@@ -383,6 +383,12 @@
         <artifactId>jakarta.servlet-api</artifactId>
         <version>6.0.0</version>
       </dependency>
+      <!-- Override Spark's Avro version to fix CVE-2025-33042. -->
+      <dependency>
+        <groupId>org.apache.avro</groupId>
+        <artifactId>avro</artifactId>
+        <version>1.12.1</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
