CVE-2026-48207: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Fory
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
AI Analysis
Technical Summary
Apache Fory versions prior to 1.0.0 contain a CWE-502 deserialization vulnerability in the PyFory ReduceSerializer. This serializer could bypass the intended DeserializationPolicy validation during the restoration of reduce-state and global-name resolution, allowing potentially unsafe classes, functions, or module attributes to be deserialized if strict mode is disabled and the application relies on DeserializationPolicy for security. The vulnerability is addressed in version 1.0.0 by enforcing validation in the affected ReduceSerializer code paths.
Potential Impact
An application using Apache Fory before version 1.0.0 that deserializes attacker-controlled data in Python-native mode with strict mode disabled and relies on DeserializationPolicy for restricting unsafe deserialization is vulnerable. This could lead to the execution of unsafe or malicious code during deserialization. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
Users should upgrade Apache Fory to version 1.0.0 or later, where the DeserializationPolicy validation is enforced for the ReduceSerializer, effectively fixing this vulnerability. No other mitigation or temporary workaround is indicated in the advisory.
CVE-2026-48207: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Fory
Description
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache Fory versions prior to 1.0.0 contain a CWE-502 deserialization vulnerability in the PyFory ReduceSerializer. This serializer could bypass the intended DeserializationPolicy validation during the restoration of reduce-state and global-name resolution, allowing potentially unsafe classes, functions, or module attributes to be deserialized if strict mode is disabled and the application relies on DeserializationPolicy for security. The vulnerability is addressed in version 1.0.0 by enforcing validation in the affected ReduceSerializer code paths.
Potential Impact
An application using Apache Fory before version 1.0.0 that deserializes attacker-controlled data in Python-native mode with strict mode disabled and relies on DeserializationPolicy for restricting unsafe deserialization is vulnerable. This could lead to the execution of unsafe or malicious code during deserialization. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
Users should upgrade Apache Fory to version 1.0.0 or later, where the DeserializationPolicy validation is enforced for the ReduceSerializer, effectively fixing this vulnerability. No other mitigation or temporary workaround is indicated in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-21T12:06:15.985Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0f3a03e1370fbb4820d0f7
Added to database: 5/21/2026, 4:59:47 PM
Last enriched: 5/21/2026, 5:14:52 PM
Last updated: 5/21/2026, 6:00:28 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.