CVE 9.8 CRITICAL

Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement_CVE-2026-48207

May 21, 2026 invoker category_cve
9.8 / 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.

This issue affects Apache Fory: from before 1.0.0.

Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

AI Analysis

Deserialization of untrusted data in PyFory's ReduceSerializer could bypass validation hooks

Basic Information

ID CVE-2026-48207
Source apache
Published May 21, 2026 at 15:51
Modified May 21, 2026 at 17:10

Affected Product

Vendor Apache Software Foundation
Product Apache Fory
Version 0.13.0
Affected Versions Apache Software Foundation Apache Fory 0.13.0

CWE Classification

CWE-502

AI Assessment

AI Score 9.8 / 10
AI Severity Critical
Vendor Apache Software Foundation
Product Apache Fory
Version 0.13.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.