Home

Description

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.

PUBLISHED Reserved 2025-09-29 | Published 2025-10-01 | Updated 2025-10-01 | Assigner apache

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

0.12.0
affected

Default status
unaffected

0.1.0
affected

Credits

Mapta / BugBunny_ai reporter

References

lists.apache.org/thread/vfn9hp9qt06db5yo1gmj3l114o3o2csd vendor-advisory

cve.org (CVE-2025-61622)

nvd.nist.gov (CVE-2025-61622)

Download JSON