Description
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.

This issue affects Apache Fory: from before 1.0.0.

Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
Published: 2026-05-21
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by PyFory's ReduceSerializer bypassing DeserializationPolicy validation hooks during reduce‑state restoration and global‑name resolution when strict mode is disabled. As a result, an attacker can craft serialized objects that will be deserialized without policy enforcement, enabling execution of arbitrary code. This is a classic insecure deserialization flaw.

Affected Systems

All Apache Fory releases before version 1.0.0 are affected; any application that uses PyFory in Python‑native mode with strict mode turned off and relies on DeserializationPolicy to limit unsafe classes or functions is vulnerable.

Risk and Exploitability

The CVSS score of 9.8 marks the issue as critical. EPSS data are not available, so the current probability of exploitation cannot be quantified, and the vulnerability has not yet been listed in CISA KEV. The likely attack path entails an attacker delivering a maliciously crafted serialized payload to a Python application that loads it with PyFory in native mode, bypassing policy checks and achieving remote code execution. This inference is based on the description of the deserialization bypass and the requirement for attacker‑controlled data to trigger the flaw.

Generated by OpenCVE AI on May 21, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Fory to version 1.0.0 or later, which enforces DeserializationPolicy on the affected ReduceSerializer paths.
  • Ensure that strict mode is enabled and that a DeserializationPolicy disallows unsafe classes, functions, or module attributes in configurations that use PyFory.
  • If an upgrade cannot be performed immediately, restrict deserialization to trusted data sources and validate or sandbox the payload before passing it to PyFory.

Generated by OpenCVE AI on May 21, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 21 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
Title Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement
Weaknesses CWE-502
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-21T18:37:32.208Z

Reserved: 2026-05-21T12:06:15.985Z

Link: CVE-2026-48207

cve-icon Vulnrichment

Updated: 2026-05-21T18:37:32.208Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T17:16:21.857

Modified: 2026-05-21T19:16:53.700

Link: CVE-2026-48207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:30:16Z

Weaknesses