CVEFinder.io

CVE-2025-61622

⛔ critical
🔍 Scan for this CVE
Summary

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory ve

Description

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution.

Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.

CVSS Score
9.8
Critical
EPSS Score
0.3
Exploit Probability
Published Date
2025-10-01
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.5% of all 328,009 vulnerabilities in our database.

#31,168
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Oct 1, 2025
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
Mapta / BugBunny_ai (reporter)
SSVC data provided by CISA
Last Modified 2025-12-03
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-502

📦 Affected Products 2

Vendor Product Status Affected Versions
apache fory Affected
≥ 0.1.0 ≤ 0.10.3
apache fory Affected
≥ 0.12.0 ≤ 0.12.2

🔗 References 2

https://lists.apache.org/thread/vfn9hp9qt06db5yo1gmj...
Issue Tracking Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/09/29/3
Mailing List Third Party Advisory

🔗 Related CVEs 3

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-50076 ⛔ critical 9.1 0.2 Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Jav... 2026-06-04
CVE-2026-48207 ⛔ critical 9.8 0.1 Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented Deserializati... 2026-05-21
CVE-2025-59328 🔶 medium 6.5 1.8 A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the ins... 2025-09-15
These CVEs affect the same products