Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.
Metrics
Affected Vendors & Products
Source | ID | Title |
---|---|---|
![]() |
EUVD-2025-31867 | Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue. |
![]() |
GHSA-538v-3wq9-4h3r | Apache Pyfory python is vulnerable to deserialization of untrusted data |
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Thu, 02 Oct 2025 09:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache fory |
|
Vendors & Products |
Apache
Apache fory |
Wed, 01 Oct 2025 13:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Wed, 01 Oct 2025 10:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue. | |
Title | Apache Fory, Apache Fory: Python RCE via unguarded pickle fallback serializer in pyfory | |
Weaknesses | CWE-502 | |
References |
|

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2025-10-01T13:08:39.262Z
Reserved: 2025-09-29T06:47:23.146Z
Link: CVE-2025-61622

Updated: 2025-10-01T13:08:33.816Z

Status : Awaiting Analysis
Published: 2025-10-01T10:15:34.080
Modified: 2025-10-02T19:12:17.160
Link: CVE-2025-61622

No data.

Updated: 2025-10-02T08:40:13Z