Vulnerability Description
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://fory.apache.org/security/#cve-2026-48207-pyfory-reduceserializer-deseria
- http://www.openwall.com/lists/oss-security/2026/05/21/10
FAQ
What is CVE-2026-48207?
CVE-2026-48207 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolu...
How severe is CVE-2026-48207?
CVE-2026-48207 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-48207?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.