CVE-2025-61622

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-61622

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61622.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-61622

Aliases

GHSA-538v-3wq9-4h3r

Published

2025-10-01T10:15:34.080Z

Modified

2026-04-10T05:33:49.583860Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of pickle.loads, which is vulnerable to remote code execution.

Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.

References

Affected packages

Git / github.com/apache/fory

Affected ranges

Type

GIT

Repo

https://github.com/apache/fory

Events

Introduced

d59c458dce25f0c0c363104c1d07a3533cdfb00a

Last affected

a48e9032dfbcc6020883d9eba072647626ff4975

Introduced

7e6db1e97811b1cc95c9b8f5088e2abebe7f299a

Last affected

2e3dc3a432dffe6e1715b8d26f7d10ebc14bbbb6

Database specific

{
    "versions": [
        {
            "introduced": "0.1.0"
        },
        {
            "last_affected": "0.10.3"
        },
        {
            "introduced": "0.12.0"
        },
        {
            "last_affected": "0.12.2"
        }
    ]
}

Affected versions

v0.*

v0.12.0

v0.12.0-rc1

v0.12.1

v0.12.1-rc1

v0.12.2

v0.12.2-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61622.json"