Apache Fory Denial-of-Service Vulnerability via Insecure Deserialization

A denial-of-service vulnerability has been identified in Apache Fory versions 0.5.0 prior to 0.12.1. This issue arises from the insecure deserialization of untrusted data, allowing remote attackers to send large, specially crafted payloads that exhaust CPU resources during processing. This CPU exhaustion causes the application or system using Apache Fory to become unresponsive, disrupting service for legitimate users.

Impact

Exploitation of this vulnerability leads to CPU exhaustion, causing the application or system to become unresponsive and unavailable to legitimate users.

Remediation

Users are advised to upgrade to Apache Fory version 0.12.2 or later. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to version 0.12.2 or later and release new versions of their software.