CVE-2025-61622: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Fory
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.
AI Analysis
Technical Summary
CVE-2025-61622 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting Apache Software Foundation's Apache Fory and legacy Pyfury Python libraries. The vulnerability exists in pyfory versions 0.12.0 through 0.12.2 and pyfury versions 0.1.0 through 0.10.3, where the deserialization process can fall back to Python's pickle serializer when processing serialized data streams. Since pickle is inherently unsafe when handling untrusted input, an attacker can craft malicious serialized data that triggers pickle.loads execution, leading to arbitrary code execution on the target system. This vulnerability does not require any authentication or user interaction, making it trivially exploitable remotely if the application reads serialized data from untrusted sources. The impact includes full compromise of the affected system's confidentiality, integrity, and availability. The Apache Fory project addressed this issue in version 0.12.3 by removing the pickle fallback serializer, effectively eliminating the attack vector. No known exploits are currently reported in the wild, but the high severity and ease of exploitation make it a critical threat. Organizations using these libraries in production environments should urgently upgrade to the fixed version and audit their data deserialization practices to ensure no untrusted data is processed.
Potential Impact
For European organizations, the impact of CVE-2025-61622 is substantial. Exploitation allows attackers to execute arbitrary code remotely without authentication, potentially leading to full system compromise. This can result in data breaches, disruption of services, and unauthorized access to sensitive information. Organizations relying on Apache Fory or legacy Pyfury for data serialization in web services, APIs, or internal tools are particularly vulnerable. Critical sectors such as finance, healthcare, government, and telecommunications could face severe operational and reputational damage if exploited. The vulnerability's ease of exploitation and high CVSS score (9.8) underscore the urgency for mitigation. Additionally, the potential for lateral movement within networks after initial compromise increases the risk of widespread impact. European data protection regulations (e.g., GDPR) also heighten the consequences of data breaches stemming from this vulnerability.
Mitigation Recommendations
1. Immediately upgrade Apache Fory to version 0.12.3 or later, which removes the insecure pickle fallback serializer. 2. For legacy Pyfury users, migrate to updated versions or alternative serialization libraries that do not rely on unsafe deserialization mechanisms. 3. Audit all applications and services to identify any usage of pyfory or pyfury libraries, especially where serialized data is received from untrusted or external sources. 4. Implement strict input validation and enforce allowlisting of serialization formats to prevent fallback to unsafe serializers. 5. Employ network segmentation and application-layer firewalls to limit exposure of services that deserialize external data. 6. Monitor logs and network traffic for unusual deserialization attempts or anomalies indicative of exploitation attempts. 7. Educate developers about the risks of deserializing untrusted data and promote secure coding practices. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block exploitation attempts in real time.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Finland
CVE-2025-61622: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Fory
Description
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-61622 is a critical vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting Apache Software Foundation's Apache Fory and legacy Pyfury Python libraries. The vulnerability exists in pyfory versions 0.12.0 through 0.12.2 and pyfury versions 0.1.0 through 0.10.3, where the deserialization process can fall back to Python's pickle serializer when processing serialized data streams. Since pickle is inherently unsafe when handling untrusted input, an attacker can craft malicious serialized data that triggers pickle.loads execution, leading to arbitrary code execution on the target system. This vulnerability does not require any authentication or user interaction, making it trivially exploitable remotely if the application reads serialized data from untrusted sources. The impact includes full compromise of the affected system's confidentiality, integrity, and availability. The Apache Fory project addressed this issue in version 0.12.3 by removing the pickle fallback serializer, effectively eliminating the attack vector. No known exploits are currently reported in the wild, but the high severity and ease of exploitation make it a critical threat. Organizations using these libraries in production environments should urgently upgrade to the fixed version and audit their data deserialization practices to ensure no untrusted data is processed.
Potential Impact
For European organizations, the impact of CVE-2025-61622 is substantial. Exploitation allows attackers to execute arbitrary code remotely without authentication, potentially leading to full system compromise. This can result in data breaches, disruption of services, and unauthorized access to sensitive information. Organizations relying on Apache Fory or legacy Pyfury for data serialization in web services, APIs, or internal tools are particularly vulnerable. Critical sectors such as finance, healthcare, government, and telecommunications could face severe operational and reputational damage if exploited. The vulnerability's ease of exploitation and high CVSS score (9.8) underscore the urgency for mitigation. Additionally, the potential for lateral movement within networks after initial compromise increases the risk of widespread impact. European data protection regulations (e.g., GDPR) also heighten the consequences of data breaches stemming from this vulnerability.
Mitigation Recommendations
1. Immediately upgrade Apache Fory to version 0.12.3 or later, which removes the insecure pickle fallback serializer. 2. For legacy Pyfury users, migrate to updated versions or alternative serialization libraries that do not rely on unsafe deserialization mechanisms. 3. Audit all applications and services to identify any usage of pyfory or pyfury libraries, especially where serialized data is received from untrusted or external sources. 4. Implement strict input validation and enforce allowlisting of serialization formats to prevent fallback to unsafe serializers. 5. Employ network segmentation and application-layer firewalls to limit exposure of services that deserialize external data. 6. Monitor logs and network traffic for unusual deserialization attempts or anomalies indicative of exploitation attempts. 7. Educate developers about the risks of deserializing untrusted data and promote secure coding practices. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block exploitation attempts in real time.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- apache
- Date Reserved
- 2025-09-29T06:47:23.146Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68ddc314107aa30f08655c41
Added to database: 10/2/2025, 12:11:00 AM
Last enriched: 11/4/2025, 10:14:41 PM
Last updated: 1/7/2026, 4:23:07 AM
Views: 140
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-20893: Origin validation error in Fujitsu Client Computing Limited Fujitsu Security Solution AuthConductor Client Basic V2
HighCVE-2025-14891: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ivole Customer Reviews for WooCommerce
MediumCVE-2025-14059: CWE-73 External Control of File Name or Path in roxnor EmailKit – Email Customizer for WooCommerce & WP
MediumCVE-2025-12648: CWE-552 Files or Directories Accessible to External Parties in cbutlerjr WP-Members Membership Plugin
MediumCVE-2025-14631: CWE-476 NULL Pointer Dereference in TP-Link Systems Inc. Archer BE400
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.