CVE Reference
Impacted versions
-
Self-managed Connectors with Confluent Platform
- Kafka-connect-ftps (< 1.0.14)
- Kafka-connect-gcp-dataproc-sink (< 1.3.1)
- Kafka-connect-hdfs2-source (< 2.6.11)
- Kafka-connect-hdfs-sink (< 10.2.13, < 10.1.18)
- Kafka-connect-hdfs3-source (< 2.6.11)
- Kafka-connect-hdfs3-sink (< 1.2.5, < 1.1.37)
- Kafka-connect-s3-source (< 2.6.11)
- Managed Confluent Cloud Connectors
Recommended action
- This issue is resolved in the updated connector versions for use with Confluent Platform:
- Kafka-connect-ftps >= version 1.0.14
- Kafka-connect-gcp-dataproc-sink >= version 1.3.1
- Kafka-connect-hdfs2-source >= version 2.6.11
- Kafka-connect-hdfs-sink >= version 10.2.13 and 10.1.18
- Kafka-connect-hdfs3-source >= version 2.6.11
- Kafka-connect-hdfs3-sink >= version 1.2.5 and 1.1.37
- Kafka-connect-s3-source >= 2.6.11
- Please note that the managed Confluent Cloud connectors Kafka-connect-gcp-dataproc-sink and Kafka-connect-s3-source have already been fixed, and no security impact to Confluent Cloud systems was observed. No further action is necessary at this time.
Issue
A security vulnerability has been identified that impacts both self-managed connectors configured with Confluent Platform and managed Confluent Cloud connectors. This issue stems from the use of vulnerable versions of the org.apache.parquet:parquet-avro library, affected by CVE-2025-30065. The vulnerability arises due to missing validations on allowed Java classes during deserialization of Parquet files in the parquet-avro module. A privileged attacker could exploit this by configuring an impacted connector to parse a malicious Parquet file, potentially resulting in the instantiation of arbitrary Java classes on the classpath. This may lead to Remote Code Execution (RCE) on the Connect workers.
For Confluent Platform users, this vulnerability is only applicable if they are using the affected connector versions mentioned earlier. An adversary would also need elevated privileges to create or modify connectors that can process specially crafted Parquet files.
Managed Confluent Cloud connectors were also found to be affected by CVE-2025-30065. However, there was no observed security impact to Confluent Cloud systems. The affected managed connectors have since been updated with the necessary fixes, and no further action is required from customers at this time.
Remediation
-
Self-managed Connectors with Confluent Platform, please upgrade to the following versions:
- Kafka-connect-ftps (>= 1.0.14)
- Kafka-connect-gcp-dataproc-sink (>= 1.3.1)
- Kafka-connect-hdfs2-source (>= 2.6.11)
- Kafka-connect-hdfs-sink (>= 10.2.13, >= 10.1.18)
- Kafka-connect-hdfs3-source (>= 2.6.11)
- Kafka-connect-hdfs3-sink (>= 1.2.5, >= 1.1.37)
- Kafka-connect-s3-source (>= 2.6.11)
-
Managed Confluent Cloud Connectors
- Affected GCP Dataproc Sink and S3 Source managed connectors have already been fixed. No further action is necessary at this time.
CVSS Score: 8.0
CVSS v3.1 Calculator