GHSA-m5gw-83w2-7749CriticalCVSS 9.8
Apache Fory PyFory Deserialization of Untrusted Data
🔗 CVE IDs covered (1)
📋 Description
Fory PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.
This issue affects Apache Fory: from before 1.0.0.
Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
🎯 Affected products1
- pip/pyfory:>= 0.13.0, < 1.0.0