oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-48207: Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement

From: Chaokun Yang <chaokunyang () apache org>
Date: Thu, 21 May 2026 12:44:24 +0000
Severity: important 

Affected versions:

- Apache Fory (pyfory) 0.13.0 before 1.0.0

Description:

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented 
DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is 
vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and 
relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.

This issue affects Apache Fory: from before 1.0.0.

Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces 
DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

Credit:

Lide Wen (reporter)

References:

https://fory.apache.org/security/#cve-2026-48207-pyfory-reduceserializer-deserializationpolicy-bypass
https://fory.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-48207
Previous By Date Next
Previous By Thread Next

Current thread: