GHSA-RRJR-V56M-WW88: Stack Exhaustion Denial of Service in ParquetSharp DecimalConverter
Vulnerability ID: GHSA-RRJR-V56M-WW88
CVSS Score: 5.3
Published: 2026-04-24
ParquetSharp versions between 18.1.0 and 23.0.0.0 are vulnerable to a stack exhaustion Denial of Service (DoS) flaw. The vulnerability resides in the DecimalConverter class, where uncontrolled metadata values dictate unbounded stack allocation size.
TL;DR
A stack exhaustion vulnerability in ParquetSharp allows an attacker to crash the host application by providing a crafted Parquet file with excessively large decimal column widths, leading to an uncatchable StackOverflowException.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: Stack Exhaustion (Denial of Service)
- CWE ID: CWE-121
- Attack Vector: Local / Remote (via untrusted file)
- CVSS Score: 5.3 (Moderate)
- Exploit Status: Proof of Concept Available
- KEV Status: Not Listed
Affected Systems
- .NET applications utilizing ParquetSharp for processing untrusted Parquet files
- Data ingestion pipelines processing externally sourced columnar data
-
ParquetSharp: >= 18.1.0, < 23.0.0.1 (Fixed in:
23.0.0.1)
Mitigation Strategies
- Upgrade the ParquetSharp package to version 23.0.0.1 or later
- Implement strict metadata and schema validation on untrusted Parquet files before processing
Remediation Steps:
- Identify all projects within the organization referencing the ParquetSharp NuGet package
- Verify the installed version is between 18.1.0 and 23.0.0.0
- Update the PackageReference to version 23.0.0.1
- Recompile and deploy the updated application
- Execute automated tests to ensure Parquet file parsing behaves as expected
References
- GitHub Advisory: GHSA-RRJR-V56M-WW88
- G-Research/ParquetSharp PR #642
- ParquetSharp 23.0.0.1 Release Notes
- ParquetSharp on NuGet
Read the full report for GHSA-RRJR-V56M-WW88 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)