CVE-2025-61622

CRITICAL

pyfory 0.12.0-0.12.2 and pyfury 0.1.0-0.10.3 - Remote Code Execution via Pickle Deserialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-61622. PoCs published by fa1consec.

AI-analyzed exploit summary This PoC demonstrates a Remote Code Execution (RCE) vulnerability in Apache Pyfory (versions 0.12.0-0.12.2 and legacy PyFury 0.1.0-0.10.3) due to insecure pickle fallback deserialization. The exploit crafts a malicious pickle payload and sends it to a vulnerable target via a socket connection.

Description

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.

Exploits (1)

github WORKING POC 4 stars

by fa1consec · pythonpoc

https://github.com/fa1consec/cve_2025_61622_poc

View Code ZIP pw:eip

This PoC demonstrates a Remote Code Execution (RCE) vulnerability in Apache Pyfory (versions 0.12.0-0.12.2 and legacy PyFury 0.1.0-0.10.3) due to insecure pickle fallback deserialization. The exploit crafts a malicious pickle payload and sends it to a vulnerable target via a socket connection.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Apache Pyfory (0.12.0-0.12.2) and PyFury (0.1.0-0.10.3)

No auth needed

Prerequisites: Network access to the vulnerable Pyfory/PyFury application · Target application must be running and listening on the specified port

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Issue Tracking, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/vfn9hp9qt06db5yo1gmj3l114o3o2csd

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2025/09/29/3

Scores

CVSS v3 9.8

EPSS 0.0038

EPSS Percentile 59.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (3)

apache/fory 0.1.0 - 0.10.3

pypi/pyfory 0.12.0 - 0.12.3PyPI

pypi/pyfury 0.1.0PyPI

Published Oct 01, 2025

Tracked Since Feb 18, 2026