[sec] org.apache.avro:avro contains CVE-2025-33042

[adarshhm6]

Search before reporting

• I searched in the issues and found nothing similar.

Motivation

Summary
There is a reported security vulnerability in org.apache.avro:avro, which is used as a dependency in Apache Pulsar.

CVE: CVE-2025-33042
Affected dependency version in Pulsar:
pulsar-3.0/pom.xml
pulsar-4.0/pom.xml

<avro.version>1.11.4</avro.version>

Solution

Upgrade avro version to 1.12.1 or 1.11.5

Alternatives

No response

Anything else?

Could you please share the planned approach for handling this vulnerability in Apache Pulsar,

Are you willing to submit a PR?

• I'm willing to submit a PR!

[lhotari]

yes, this is a known issue. The fix is pending Avro 1.12.2 release due to https://issues.apache.org/jira/browse/AVRO-4209. Please check #24992 for PR to Pulsar which will upgrade to Avro 1.12.2 once it's available.
We might have to upgrade Pulsar 4.0.x to Avro 1.12.x since there doesn't seem that a fix is on the way for AVRO-4209 for Avro 1.11.x.

[lhotari]

It seems that https://issues.apache.org/jira/browse/AVRO-4209 doesn't apply to 1.11.x at all. I'll create a PR to upgrade Pulsar 4.0.x branch to use 1.11.5.