This is an automated email from the ASF dual-hosted git repository. chaokunyang pushed a commit to branch add_CVE-2026-48207 in repository https://gitbox.apache.org/repos/asf/fory-site.git
commit 76f6d7f4dad99a93340a91779e26ef0cc9354c55 Author: 慕白 <[email protected]> AuthorDate: Thu May 21 20:32:40 2026 +0800 add cve 2026-48207 --- src/pages/security/index.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/pages/security/index.md b/src/pages/security/index.md index 9c5b0a45d4..c038ad1e7c 100644 --- a/src/pages/security/index.md +++ b/src/pages/security/index.md @@ -9,6 +9,18 @@ Apache Fory™ uses the standard process outlined by the [Apache Security Team]( To report a possible security vulnerability, please email [email protected]. +### [CVE-2026-48207](https://www.cve.org/CVERecord?id=CVE-2026-48207): PyFory ReduceSerializer DeserializationPolicy bypass + +Severity: Important + +Vendor: The Apache Software Foundation + +Versions affected: 0.13.0 through 0.17.0 for pyfory + +Description: Deserialization of untrusted data in pyfory versions 0.13.0 through 0.17.0 can bypass documented DeserializationPolicy validation in Python-native mode with `strict=False`. Applications are vulnerable when they deserialize attacker-controlled data and rely on a custom DeserializationPolicy to restrict unsafe classes, functions, or module attributes. + +Mitigation: Upgrade to pyfory version 1.0.0 or later, which consistently enforces DeserializationPolicy validation for this issue. Libraries and applications that depend on Apache Fory should update their dependency requirements and release patched versions. + ### [CVE-2025-61622](https://www.cve.org/CVERecord?id=CVE-2025-61622): Python RCE via unguarded pickle fallback serializer in pyfory Severity: Critical --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
