CVE-2025-61622
Published: 01 October 2025
Summary
CVE-2025-61622 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Fory. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the vulnerable pyfory library to version 0.12.3 or later, removing the pickle fallback serializer to eliminate the deserialization RCE vulnerability.
Enforces validation of untrusted serialized data inputs prior to deserialization, preventing exploitation of crafted malicious streams that trigger pickle.loads.
Provides for scanning to identify deployed vulnerable pyfory versions 0.12.0-0.12.2 or legacy pyfury, enabling detection and remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote arbitrary code execution via crafted serialized data supplied over the network to vulnerable applications using pyfory/pyfury, directly mapping to exploitation of public-facing applications.
NVD Description
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker…
more
can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.
Deeper analysisAI
CVE-2025-61622 is a deserialization of untrusted data vulnerability (CWE-502) in the Python libraries pyfory versions 0.12.0 through 0.12.2 and legacy pyfury versions 0.1.0 through 0.10.3. It enables arbitrary code execution when an application deserializes pyfory serialized data from untrusted sources. Specifically, an attacker can craft a malicious data stream that forces the use of a pickle-fallback serializer during deserialization, triggering the execution of the insecure `pickle.loads` function.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Any remote attacker capable of supplying crafted serialized data to a vulnerable application can achieve arbitrary code execution on the target system, potentially leading to full compromise.
Advisories recommend upgrading to pyfory version 0.12.3 or later, which removes the pickle fallback serializer and resolves the issue. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/vfn9hp9qt06db5yo1gmj3l114o3o2csd and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2025/09/29/3.
Details
- CWE(s)