{"url":"http://public2.vulnerablecode.io/api/packages/74033?format=json","purl":"pkg:maven/org.apache.avro/avro@1.11.5","type":"maven","namespace":"org.apache.avro","name":"avro","version":"1.11.5","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.12.1","latest_non_vulnerable_version":"1.12.1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37210?format=json","vulnerability_id":"VCID-cfcn-gwwn-ybe8","summary":"Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.\n\nThis issue affects Apache Avro Java SDK: all versions through 1.11.4 and versionĀ 1.12.0.\n\nUsers are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.","references":[{"reference_url":"https://github.com/apache/avro","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/avro"},{"reference_url":"https://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/avro/commit/84bc7322ca1c04ab4a8e4e708acf1e271541aac4"},{"reference_url":"https://github.com/apache/avro/pull/3150","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/avro/pull/3150"},{"reference_url":"https://issues.apache.org/jira/browse/AVRO-4053","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/AVRO-4053"},{"reference_url":"https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://lists.apache.org/thread/fy88wmgf1lj9479vrpt12cv8x73lroj1"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783","reference_id":"","reference_type":"","scores":[],"url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEAVRO-15282783"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/12/2","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"http://www.openwall.com/lists/oss-security/2026/02/12/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-33042","reference_id":"CVE-2025-33042","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-33042"},{"reference_url":"https://github.com/advisories/GHSA-rp46-r563-jrc7","reference_id":"GHSA-rp46-r563-jrc7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rp46-r563-jrc7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74033?format=json","purl":"pkg:maven/org.apache.avro/avro@1.11.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.avro/avro@1.11.5"},{"url":"http://public2.vulnerablecode.io/api/packages/74032?format=json","purl":"pkg:maven/org.apache.avro/avro@1.12.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.avro/avro@1.12.1"}],"aliases":["CVE-2025-33042","GHSA-rp46-r563-jrc7","PYSEC-2026-26"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cfcn-gwwn-ybe8"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.avro/avro@1.11.5"}