Describe the bug, including details regarding any error messages, version, and platform.
Vulnerability in io.airlift:aircompressor Dependency Used by parquet-hadoop
Summary
A published vulnerability (CVE-2025-67721) affects all versions of io.airlift:aircompressor except version 3.4.
CVE Reference:
https://www.cve.org/CVERecord?id=CVE-2025-67721
Currently, parquet-hadoop:1.15.2 depends on:
io.airlift:aircompressor:2.0.2
which is the latest release available under the original aircompressor artifact:
https://mvnrepository.com/artifact/io.airlift/aircompressor
However, newer releases have moved to a new artifact:
io.airlift:aircompressor-v3
Repository:
https://mvnrepository.com/artifact/io.airlift/aircompressor-v3
Request
Please update parquet-hadoop to use the newer aircompressor-v3 dependency so downstream consumers can remediate CVE-2025-67721.
Impact
Projects consuming parquet-hadoop inherit the vulnerable aircompressor dependency and are unable to mitigate the CVE without dependency overrides or exclusions.
Component(s)
No response
Describe the bug, including details regarding any error messages, version, and platform.
Vulnerability in
io.airlift:aircompressorDependency Used byparquet-hadoopSummary
A published vulnerability (
CVE-2025-67721) affects all versions ofio.airlift:aircompressorexcept version3.4.CVE Reference:
https://www.cve.org/CVERecord?id=CVE-2025-67721
Currently,
parquet-hadoop:1.15.2depends on:which is the latest release available under the original
aircompressorartifact:https://mvnrepository.com/artifact/io.airlift/aircompressor
However, newer releases have moved to a new artifact:
Repository:
https://mvnrepository.com/artifact/io.airlift/aircompressor-v3
Request
Please update
parquet-hadoopto use the neweraircompressor-v3dependency so downstream consumers can remediateCVE-2025-67721.Impact
Projects consuming
parquet-hadoopinherit the vulnerableaircompressordependency and are unable to mitigate the CVE without dependency overrides or exclusions.Component(s)
No response