[parquet-hadoop] CVE-2025-67721 in io.airlift:aircompressor@2.0.2 (migrate to aircompressor-v3?)

A vulnerability (medium or high depending on source) has been published affecting all versions of aircompressor except 3.4.
https://www.cve.org/CVERecord?id=CVE-2025-67721

[Parquet-hadoop 1.16.0 uses 2.0.2](https://github.com/apache/parquet-java/blob/f62b2c058a8eded070cf5be87b3406f763a172b6/parquet-hadoop/pom.xml#L147) which is the latest release on that location, since the next major was released under aircompressor-v3

https://mvnrepository.com/artifact/io.airlift/aircompressor
https://mvnrepository.com/artifact/io.airlift/aircompressor-v3

There's an open PR to backport the CVE fix to a potential 2.0.3 but it's unclear if this will be picked up https://github.com/airlift/aircompressor/pull/309.

Are there plans to migrate to aircompressor-v3? 
Or any information if parquet-hadoop is unaffected by this vulnerability? My understanding is that writers using UNCOMPRESSED (default) are not affected.


Best regards,
Tiago

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[parquet-hadoop] CVE-2025-67721 in io.airlift:[email protected] (migrate to aircompressor-v3?) #3387

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[parquet-hadoop] CVE-2025-67721 in io.airlift:[email protected] (migrate to aircompressor-v3?) #3387

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions