PYSEC-2026-2984

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyfory/PYSEC-2026-2984.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2984
Aliases
Published
2026-07-13T15:19:10.366997Z
Modified
2026-07-13T16:32:42.676818664Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Fory PyFory Deserialization of Untrusted Data
Details

Fory PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.

This issue affects Apache Fory: from before 1.0.0.

Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

References

Affected packages

PyPI / pyfory

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.13.0
Fixed
1.0.0

Affected versions

0.*
0.13.0
0.13.1
0.13.2
0.14.0
0.14.1
0.15.0
0.16.0
0.17.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pyfory/PYSEC-2026-2984.yaml"