(fory-site) branch main updated: add pyfory pickle sec (#324)

Fri, 17 Oct 2025 20:38:20 -0700 

This is an automated email from the ASF dual-hosted git repository.

chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory-site.git


The following commit(s) were added to refs/heads/main by this push:
     new d67858fb4 add pyfory pickle sec (#324)
d67858fb4 is described below

commit d67858fb4fd907875ede3cd01ebe81978d1aa0be
Author: Shawn Yang <[email protected]>
AuthorDate: Sat Oct 4 23:37:40 2025 +0800

    add pyfory pickle sec (#324)
---
 src/pages/security/index.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/pages/security/index.md b/src/pages/security/index.md
index 0cddf1ed3..9c5b0a45d 100644
--- a/src/pages/security/index.md
+++ b/src/pages/security/index.md
@@ -9,6 +9,18 @@ Apache Fory™ uses the standard process outlined by the [Apache 
Security Team](
 
 To report a possible security vulnerability, please email 
[email protected].
 
+### [CVE-2025-61622](https://www.cve.org/CVERecord?id=CVE-2025-61622): Python 
RCE via unguarded pickle fallback serializer in pyfory
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions affected: 0.5.0 through 0.12.2 for pyfory, and the legacy fury 
versions from 0.1.0 through 0.10.3
+
+Description: Deserialization of untrusted data in python in pyfory versions 
0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: 
allows arbitrary code execution. An application is vulnerable if it reads 
pyfory serialized data from untrusted sources. An attacker can craft a data 
stream that selects pickle-fallback serializer during deserialization, leading 
to the execution of `pickle.loads`, which is vulnerable to remote code 
execution.
+
+Mitigation: Users of Apache Fory are recommended to upgrade to pyfory version 
0.12.3 or later, which has removed pickle fallback serializer and thus fixes 
this issue. Developers of libraries and applications that depend on Apache Fory 
should update their dependency requirements to Apache Fory 0.12.3 or later and 
release new versions of their software.
+
 ### [CVE-2025-59328](https://www.cve.org/CVERecord?id=CVE-2025-59328): Denial 
of Service (DoS) due to Deserialization of Untrusted malicious large Data
 
 Severity: Mederate


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to