{"library":"pyarrow-hotfix","title":"PyArrow Hotfix","description":"Pyarrow-hotfix is a pure Python package designed to mitigate the PyArrow security vulnerability CVE-2023-47248, which affected PyArrow versions 0.14.0 to 14.0.0. It disables the vulnerable deserialization feature, offering a temporary solution for users unable to immediately upgrade to PyArrow 14.0.1 or later. The library is released on an as-needed basis for security patches.","status":"active","version":"0.7","language":"en","source_language":"en","source_url":"https://github.com/pitrou/pyarrow-hotfix","tags":["security","pyarrow","hotfix","vulnerability","CVE-2023-47248"],"install":[{"cmd":"pip install pyarrow-hotfix","lang":"bash","label":"Pip install (recommended)"}],"dependencies":[{"reason":"This package is a hotfix for `pyarrow` and assumes `pyarrow` is already installed.","package":"pyarrow","optional":false}],"imports":[{"symbol":"pyarrow_hotfix","correct":"import pyarrow_hotfix"}],"quickstart":{"code":"import pyarrow_hotfix\nimport pyarrow as pa\n\n# The hotfix is applied simply by importing the module.\n# Any subsequent PyArrow operations will have the vulnerable feature disabled.\n# Example (will raise a RuntimeError if vulnerable data is encountered):\n# try:\n#     pa.ipc.open_file('malicious_data.arrow')\n# except RuntimeError as e:\n#     print(f\"Caught expected error: {e}\")","lang":"python","description":"The hotfix is activated simply by importing the `pyarrow_hotfix` module. This should be done early in your application's lifecycle to ensure the vulnerability is disabled before any potentially malicious PyArrow data is processed."},"warnings":[{"fix":"The recommended long-term solution is to upgrade to PyArrow 14.0.1 or later. If upgrading PyArrow is not immediately possible, consider refactoring your code to use the secure API `pyarrow.ExtensionType` instead of `pyarrow.PyExtensionType`.","message":"The `pyarrow-hotfix` explicitly disables the `pyarrow.PyExtensionType` feature. If your existing workloads rely on `pyarrow.PyExtensionType` for processing Parquet or other Arrow files, importing this hotfix will cause those workloads to fail with a `RuntimeError` related to 'forbidden deserialization of 'arrow.py_extension_type''.","severity":"breaking","affected_versions":"PyArrow versions 0.14.0 to 14.0.0 when `pyarrow-hotfix` is active."},{"fix":"Prioritize upgrading your `pyarrow` dependency to version 14.0.1 or higher to fully resolve the underlying vulnerability and remove the need for the hotfix package.","message":"While `pyarrow-hotfix` addresses the CVE-2023-47248 vulnerability, it is a temporary measure. The Apache Arrow community strongly recommends upgrading to PyArrow 14.0.1 or later as the definitive solution.","severity":"gotcha","affected_versions":"<14.0.1"},{"fix":"Always use `pip install pyarrow-hotfix` for installation and `import pyarrow_hotfix` in your Python code for clarity and consistency.","message":"For installations via `pip`, both `pyarrow-hotfix` and `pyarrow_hotfix` are accepted package names and point to the same package on PyPI. However, consistency in naming (`pyarrow-hotfix` for `pip` and `import pyarrow_hotfix`) is good practice.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-05T00:00:00.000Z","next_check":"2026-07-04T00:00:00.000Z"}