Apache Fory Pyfory and Pyfury Deserialization Vulnerability Leading to Remote Code Execution
Vulnerability
A critical vulnerability exists in the Apache Fory Python packages pyfory (versions 0.12.0 to 0.12.2) and pyfury (the new name introduced in version 0.12.0, also covering versions 0.12.0 to 0.12.2). This vulnerability arises from the deserialization of untrusted data, allowing for arbitrary code execution. Applications that read pyfory serialized data from untrusted sources are at risk. An attacker can exploit this by crafting a data stream that triggers the pickle-fallback serializer during deserialization, which then executes 'pickle.loads'. The use of 'pickle.loads' is particularly dangerous as it is vulnerable to remote code execution.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the server where the vulnerable application is running.
Remediation
Users are advised to upgrade to Apache Fory version 0.12.3 or later, which removes the pickle fallback serializer and addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.