Overview
A recent security vulnerability in the Parquet software used as part of Dremio and Cumulocity DataHub was published with CVE-2025-30065. The vulnerability allows attackers with write access to data lake files to upload specifically crafted Parquet files that may execute the attacker’s code when certain functions of the Parquet software are executed.
Impact on Cumulocity customers
We confirm that the affected functions of Parquet are not used in Dremio and in Cumulocity DataHub. We expect no impact on Cumulocity customers, the platform or connected devices.
Upgrades of DataHub containing non-vulnerable versions of the Parquet software will be gradually rolled out starting April 22nd, 2025.
In general, we recommend customers to ensure a “least privileges” access to their data lake storage accounts, to regularly rotate credentials, to audit access to the lake, and to run regular malware scans on their data lake files.
References
In case of further questions, please do not hesitate to contact Cumulocity support.