This is an automated email from the ASF dual-hosted git repository.

chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory-site.git


The following commit(s) were added to refs/heads/main by this push:
     new a34162d8a4 update security (#455)
a34162d8a4 is described below

commit a34162d8a4a16718284668eb601b5dc32d7e695e
Author: Shawn Yang <[email protected]>
AuthorDate: Thu May 21 20:36:42 2026 +0800

    update security (#455)
---
 src/pages/security/index.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/pages/security/index.md b/src/pages/security/index.md
index 9c5b0a45d4..c038ad1e7c 100644
--- a/src/pages/security/index.md
+++ b/src/pages/security/index.md
@@ -9,6 +9,18 @@ Apache Fory™ uses the standard process outlined by the [Apache 
Security Team](
 
 To report a possible security vulnerability, please email 
[email protected].
 
+### [CVE-2026-48207](https://www.cve.org/CVERecord?id=CVE-2026-48207): PyFory 
ReduceSerializer DeserializationPolicy bypass
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions affected: 0.13.0 through 0.17.0 for pyfory
+
+Description: Deserialization of untrusted data in pyfory versions 0.13.0 
through 0.17.0 can bypass documented DeserializationPolicy validation in 
Python-native mode with `strict=False`. Applications are vulnerable when they 
deserialize attacker-controlled data and rely on a custom DeserializationPolicy 
to restrict unsafe classes, functions, or module attributes.
+
+Mitigation: Upgrade to pyfory version 1.0.0 or later, which consistently 
enforces DeserializationPolicy validation for this issue. Libraries and 
applications that depend on Apache Fory should update their dependency 
requirements and release patched versions.
+
 ### [CVE-2025-61622](https://www.cve.org/CVERecord?id=CVE-2025-61622): Python 
RCE via unguarded pickle fallback serializer in pyfory
 
 Severity: Critical


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to