CVE-2025-61622 is a critical security vulnerability affecting Apache Software Foundation's Apache Fory project, specifically versions 0.12.0 through 0.12.2 and legacy pyfury versions 0.1.0 through 0.10.3. The vulnerability arises from unsafe deserialization of untrusted data in Python. Apache Fory uses a serialization mechanism called pyfory, which in vulnerable versions includes a fallback to Python's pickle serializer during deserialization. Pickle is known to be unsafe when processing untrusted input because it allows arbitrary code execution. An attacker who can supply crafted serialized data to an application using these vulnerable versions can trigger the fallback to pickle.loads, resulting in remote code execution (RCE) without requiring authentication or user interaction. This can lead to full system compromise, including confidentiality breaches, integrity violations, and denial of service. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The issue was addressed in pyfory version 0.12.3 by removing the pickle fallback serializer, effectively mitigating the risk. No known exploits have been reported in the wild as of the publication date (October 1, 2025). This vulnerability is categorized under CWE-502 (Deserialization of Untrusted Data), a common and dangerous class of software flaws that often lead to remote code execution in applications that deserialize data from untrusted sources.

For European organizations, the impact of CVE-2025-61622 can be severe. Organizations using Apache Fory in their software stacks—particularly those processing serialized data from external or untrusted sources—are at risk of remote code execution attacks. This can lead to unauthorized access, data theft, service disruption, and potential lateral movement within corporate networks. Critical infrastructure, financial institutions, healthcare providers, and government agencies in Europe that rely on Apache Fory or legacy pyfury components could face significant operational and reputational damage if exploited. The vulnerability’s ease of exploitation (no authentication or user interaction required) increases the risk of automated attacks and wormable scenarios. Additionally, the ability to execute arbitrary code remotely can facilitate deployment of ransomware, espionage tools, or other malware, further exacerbating the threat landscape for European entities. Given the critical nature of the vulnerability and the widespread use of Python-based serialization in modern applications, the potential impact spans confidentiality, integrity, and availability of affected systems.

European organizations should immediately audit their software environments to identify any use of Apache Fory versions 0.12.0 through 0.12.2 or legacy pyfury versions 0.1.0 through 0.10.3. The primary mitigation is to upgrade to pyfory version 0.12.3 or later, which removes the insecure pickle fallback serializer. If upgrading is not immediately feasible, organizations should implement strict input validation and filtering to ensure that serialized data originates only from trusted sources. Network segmentation and application-layer firewalls can help restrict access to services that deserialize pyfory data. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of exploitation attempts. Additionally, organizations should review and harden their logging and monitoring to detect suspicious deserialization activities. Developers should avoid using pickle or any unsafe serializers for untrusted data and consider adopting safer serialization formats such as JSON or protobuf with strict schema validation. Finally, organizations should prepare incident response plans specific to deserialization vulnerabilities to rapidly contain and remediate any exploitation.