CVE-2025-61622
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-61622, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-01

Last updated on: 2025-12-03

Assigner: Apache Software Foundation

Description

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-01
Last Modified
2025-12-03
Generated
2026-07-06
AI Q&A
2025-10-01
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache fory From 0.1.0 (inc) to 0.10.3 (inc)
apache fory From 0.12.0 (inc) to 0.12.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves deserialization of untrusted data in the pyfory Python library versions 0.12.0 through 0.12.2 and legacy pyfury versions 0.1.0 through 0.10.3. An attacker can craft malicious serialized data that triggers the use of a pickle-fallback serializer during deserialization, which executes arbitrary code via pickle.loads. This allows remote code execution when an application reads pyfory serialized data from untrusted sources.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary code remotely on your system if your application deserializes pyfory data from untrusted sources. This could lead to unauthorized control over your system, data theft, data corruption, or disruption of services.

Mitigation Strategies

Upgrade pyfory to version 0.12.3 or later, as these versions have removed the pickle fallback serializer that leads to this vulnerability. Additionally, avoid reading pyfory serialized data from untrusted sources to prevent arbitrary code execution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61622. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart