CVE-2025-61622
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-12-03

Assigner: Apache Software Foundation

Description
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-10-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61622
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache fory From 0.1.0 (inc) to 0.10.3 (inc)
apache fory From 0.12.0 (inc) to 0.12.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves deserialization of untrusted data in the pyfory Python library versions 0.12.0 through 0.12.2 and legacy pyfury versions 0.1.0 through 0.10.3. An attacker can craft malicious serialized data that triggers the use of a pickle-fallback serializer during deserialization, which executes arbitrary code via pickle.loads. This allows remote code execution when an application reads pyfory serialized data from untrusted sources.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary code remotely on your system if your application deserializes pyfory data from untrusted sources. This could lead to unauthorized control over your system, data theft, data corruption, or disruption of services.

Mitigation Strategies

Upgrade pyfory to version 0.12.3 or later, as these versions have removed the pickle fallback serializer that leads to this vulnerability. Additionally, avoid reading pyfory serialized data from untrusted sources to prevent arbitrary code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61622. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart