Clarify the Affected Versions: - The Python package pyfory (legacy name): all versions from 0.1.0 through 0.10.3 (0.11.x is not released) - The Python package pyfury (new name, introduced in 0.12.0): versions 0.12.0 through 0.12.2
On Mon, Sep 29, 2025 at 3:04 PM Chaokun Yang <[email protected]> wrote: > > Severity: critical > > Affected versions: > > - Apache Fory (pyfory,pyfury) 0.5.0 through 0.12.2 > > Description: > > Deserialization of untrusted data in python in pyfory versions 0.12.0 through > 0.12.2 allows arbitrary code execution. An application is vulnerable if it > reads pyfory serialized data from untrusted sources. An attacker can craft a > data stream that selects pickle-fallback serializer during deserialization, > leading to the execution of `pickle.loads`, which is vulnerable to remote > code execution. > > Users are recommended to upgrade to version 0.12.3 or later, which has > removed pickle fallback serializer and thus fixes this issue. > > Credit: > > Mapta / BugBunny_ai (reporter) > > References: > > https://fory.apache.org > https://www.cve.org/CVERecord?id=CVE-2025-61622 >
