CVE-2025-61622 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting Apache Software Foundation's Apache Fory and legacy Pyfury Python libraries. The vulnerability exists in pyfory versions 0.12.0 through 0.12.2 and pyfury versions 0.1.0 through 0.10.3, where the deserialization process can fall back to Python's pickle serializer when processing serialized data streams. Since pickle is inherently unsafe when handling untrusted input, an attacker can craft malicious serialized data that triggers pickle.loads execution, leading to arbitrary code execution on the target system. This vulnerability does not require any authentication or user interaction, making it trivially exploitable remotely if the application reads serialized data from untrusted sources. The impact includes full compromise of the affected system's confidentiality, integrity, and availability. The Apache Fory project addressed this issue in version 0.12.3 by removing the pickle fallback serializer, effectively eliminating the attack vector. No known exploits are currently reported in the wild, but the high severity and ease of exploitation make it a critical threat. Organizations using these libraries in production environments should urgently upgrade to the fixed version and audit their data deserialization practices to ensure no untrusted data is processed.

For European organizations, the impact of CVE-2025-61622 is substantial. Exploitation allows attackers to execute arbitrary code remotely without authentication, potentially leading to full system compromise. This can result in data breaches, disruption of services, and unauthorized access to sensitive information. Organizations relying on Apache Fory or legacy Pyfury for data serialization in web services, APIs, or internal tools are particularly vulnerable. Critical sectors such as finance, healthcare, government, and telecommunications could face severe operational and reputational damage if exploited. The vulnerability's ease of exploitation and high CVSS score (9.8) underscore the urgency for mitigation. Additionally, the potential for lateral movement within networks after initial compromise increases the risk of widespread impact. European data protection regulations (e.g., GDPR) also heighten the consequences of data breaches stemming from this vulnerability.

1. Immediately upgrade Apache Fory to version 0.12.3 or later, which removes the insecure pickle fallback serializer. 2. For legacy Pyfury users, migrate to updated versions or alternative serialization libraries that do not rely on unsafe deserialization mechanisms. 3. Audit all applications and services to identify any usage of pyfory or pyfury libraries, especially where serialized data is received from untrusted or external sources. 4. Implement strict input validation and enforce allowlisting of serialization formats to prevent fallback to unsafe serializers. 5. Employ network segmentation and application-layer firewalls to limit exposure of services that deserialize external data. 6. Monitor logs and network traffic for unusual deserialization attempts or anomalies indicative of exploitation attempts. 7. Educate developers about the risks of deserializing untrusted data and promote secure coding practices. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block exploitation attempts in real time.