Do Son 
The Apache Fory project, a high-performance multi-language serialization framework, has disclosed a critical vulnerability (CVE-2025-61622) that could allow remote code execution (RCE) in its Python module pyfory. The bug carries a critical severity rating and affects versions 0.5.0 through 0.12.2.
According to the advisory, “Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2 allows arbitrary code execution.” The flaw arises from an unguarded pickle fallback serializer, which can be abused if an application processes untrusted serialized data.
Attackers can exploit this by crafting a malicious data stream that forces the library to use the vulnerable fallback. As the advisory explains: “An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of pickle.loads, which is vulnerable to remote code execution.”
The affected versions include
- Apache Fory (pyfory/pyfury) 0.5.0 – 0.12.2
Any application relying on these versions and deserializing untrusted input is at risk of exploitation.
The Apache Fory team urges immediate updates: “Users are recommended to upgrade to version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.”
This patched release eliminates the unsafe deserialization path by removing the vulnerable fallback entirely.
Related Posts:
- Malicious Models on Hugging Face: A New Threat to AI Development
- Phishing-Resistant No More? New Attack Bypasses FIDO Passkeys with Downgrade Trick
- CVE-2025-32444 (CVSS 10): Critical RCE Flaw in vLLM’s Mooncake Integration Exposes AI Infrastructure
- Critical EoP Flaw in Microsoft’s Remote Registry: Researcher Publishes PoC for CVE-2024-43532
- WikiKit Phishing Kit Targets Major Industries with Evasive Techniques
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
