CVE-2025-59328
BaseFortify
Publication date: 2025-09-15
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | fory | From 0.5.0 (inc) to 0.12.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Fory involves insecure deserialization of untrusted data. A remote attacker can send a specially crafted large data payload that, when deserialized, consumes excessive CPU resources. This CPU exhaustion causes the application or system using Apache Fory to become unresponsive, resulting in a Denial of Service (DoS). [1]
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can cause your application or system using Apache Fory to become unresponsive and unavailable to legitimate users by exhausting CPU resources. This leads to a Denial of Service (DoS), disrupting normal operations and potentially causing downtime. [1]
What immediate steps should I take to mitigate this vulnerability?
Users of Apache Fory should immediately upgrade to version 0.12.2 or later. Developers should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software to incorporate the fix. [1]