CVE-2026-48207

CRITICAL

Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement

Title source: cna

Description

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://fory.apache.org/security/#cve-2026-48207-pyfory-reduceserializer-deserializationpolicy-bypass

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/21/10

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (1)

Apache Software Foundation/Apache Fory 0.13.0 - 1.0.0

Published May 21, 2026

Tracked Since May 21, 2026