CVE-2025-61622

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/vfn9hp9qt06db5yo1gmj3l114o3o2csd	Issue Tracking Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/09/29/3	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:fory::::::::
	cpe:2.3:a:apache:fory::::::::

History

No history.

Information

Published : 2025-10-01 10:15

Updated : 2025-12-03 21:52

NVD link : CVE-2025-61622

Mitre link : CVE-2025-61622

CVE.ORG link : CVE-2025-61622

JSON object : View

Products Affected

apache

fory

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-61622", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-10-01T10:15:34.080", "references": [{"url": "https://lists.apache.org/thread/vfn9hp9qt06db5yo1gmj3l114o3o2csd", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/09/29/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data in\u00a0python in pyfory\u00a0versions 0.12.0 through 0.12.2, or the\u00a0legacy\u00a0pyfury versions from\u00a00.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources.\u00a0An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is\u00a0vulnerable to\u00a0remote code execution.\n\nUsers are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue."}], "lastModified": "2025-12-03T21:52:30.080", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:fory:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6CDF1C62-3007-4137-AFBA-9EBB78508E22", "versionEndIncluding": "0.10.3", "versionStartIncluding": "0.1.0"}, {"criteria": "cpe:2.3:a:apache:fory:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2E53C07-98C5-4EC3-985C-7C635D7A3CD8", "versionEndIncluding": "0.12.2", "versionStartIncluding": "0.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}