This is an automated email from the ASF dual-hosted git repository.
chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory-site.git
The following commit(s) were added to refs/heads/main by this push:
new a34162d8a4 update security (#455)
a34162d8a4 is described below
commit a34162d8a4a16718284668eb601b5dc32d7e695e
Author: Shawn Yang <[email protected]>
AuthorDate: Thu May 21 20:36:42 2026 +0800
update security (#455)
---
src/pages/security/index.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/pages/security/index.md b/src/pages/security/index.md
index 9c5b0a45d4..c038ad1e7c 100644
--- a/src/pages/security/index.md
+++ b/src/pages/security/index.md
@@ -9,6 +9,18 @@ Apache Fory™ uses the standard process outlined by the [Apache
Security Team](
To report a possible security vulnerability, please email
[email protected].
+### [CVE-2026-48207](https://www.cve.org/CVERecord?id=CVE-2026-48207): PyFory
ReduceSerializer DeserializationPolicy bypass
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions affected: 0.13.0 through 0.17.0 for pyfory
+
+Description: Deserialization of untrusted data in pyfory versions 0.13.0
through 0.17.0 can bypass documented DeserializationPolicy validation in
Python-native mode with `strict=False`. Applications are vulnerable when they
deserialize attacker-controlled data and rely on a custom DeserializationPolicy
to restrict unsafe classes, functions, or module attributes.
+
+Mitigation: Upgrade to pyfory version 1.0.0 or later, which consistently
enforces DeserializationPolicy validation for this issue. Libraries and
applications that depend on Apache Fory should update their dependency
requirements and release patched versions.
+
### [CVE-2025-61622](https://www.cve.org/CVERecord?id=CVE-2025-61622): Python
RCE via unguarded pickle fallback serializer in pyfory
Severity: Critical
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]