CVE-2026-48207 | THREATINT

Description

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

PUBLISHED Reserved 2026-05-21 | Published 2026-05-21 | Updated 2026-05-21 | Assigner apache

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status

unaffected

0.13.0 (semver) before 1.0.0

affected

Credits

Lide Wen reporter

References

www.openwall.com/lists/oss-security/2026/05/21/10

fory.apache.org/security/ vendor-advisory

cve.org (CVE-2026-48207)

nvd.nist.gov (CVE-2026-48207)

Download JSON