PyArrow Hotfix

0.7 · active · verified Sun Apr 05

Pyarrow-hotfix is a pure Python package designed to mitigate the PyArrow security vulnerability CVE-2023-47248, which affected PyArrow versions 0.14.0 to 14.0.0. It disables the vulnerable deserialization feature, offering a temporary solution for users unable to immediately upgrade to PyArrow 14.0.1 or later. The library is released on an as-needed basis for security patches.

Warnings

breaking The `pyarrow-hotfix` explicitly disables the `pyarrow.PyExtensionType` feature. If your existing workloads rely on `pyarrow.PyExtensionType` for processing Parquet or other Arrow files, importing this hotfix will cause those workloads to fail with a `RuntimeError` related to 'forbidden deserialization of 'arrow.py_extension_type''.
Fix: The recommended long-term solution is to upgrade to PyArrow 14.0.1 or later. If upgrading PyArrow is not immediately possible, consider refactoring your code to use the secure API `pyarrow.ExtensionType` instead of `pyarrow.PyExtensionType`.
gotcha While `pyarrow-hotfix` addresses the CVE-2023-47248 vulnerability, it is a temporary measure. The Apache Arrow community strongly recommends upgrading to PyArrow 14.0.1 or later as the definitive solution.
Fix: Prioritize upgrading your `pyarrow` dependency to version 14.0.1 or higher to fully resolve the underlying vulnerability and remove the need for the hotfix package.
gotcha For installations via `pip`, both `pyarrow-hotfix` and `pyarrow_hotfix` are accepted package names and point to the same package on PyPI. However, consistency in naming (`pyarrow-hotfix` for `pip` and `import pyarrow_hotfix`) is good practice.
Fix: Always use `pip install pyarrow-hotfix` for installation and `import pyarrow_hotfix` in your Python code for clarity and consistency.

Install

pip install pyarrow-hotfix Pip install (recommended)

Imports

pyarrow_hotfix
```
import pyarrow_hotfix
```

Quickstart

The hotfix is activated simply by importing the `pyarrow_hotfix` module. This should be done early in your application's lifecycle to ensure the vulnerability is disabled before any potentially malicious PyArrow data is processed.

import pyarrow_hotfix
import pyarrow as pa

# The hotfix is applied simply by importing the module.
# Any subsequent PyArrow operations will have the vulnerable feature disabled.
# Example (will raise a RuntimeError if vulnerable data is encountered):
# try:
#     pa.ipc.open_file('malicious_data.arrow')
# except RuntimeError as e:
#     print(f"Caught expected error: {e}")

view raw JSON →