Primary

Context

Apache Fory PyFory ReduceSerializer DeserializationPolicy Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Apache Fory PyFory versions 0.13.0 prior to 1.0.0, allowing the ReduceSerializer to bypass DeserializationPolicy validation hooks. This deserialization of untrusted data can occur in Python-native mode with strict mode disabled. Applications are at risk if they deserialize attacker-controlled data and rely on DeserializationPolicy to limit unsafe classes, functions, or module attributes.

Impact

Exploitation of this vulnerability can lead to unauthorized deserialization of data, potentially allowing attackers to manipulate application behavior or introduce malicious elements.

Remediation

Users are advised to upgrade to Apache Fory PyFory version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths. Libraries and applications that depend on Apache Fory should update their dependency requirements and release patched versions.

Added: May 21, 2026, 5:34 PM

Updated: May 21, 2026, 5:34 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.8

remediation

0.0

relevance

8.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.8

remediation

0.0

relevance

8.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Fory PyFory ReduceSerializer DeserializationPolicy Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Fory

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating