CVE-2026-48207

🟠 Łataj w tym tygodniu

Deserializacja nieufnych danych w Apache Fory umożliwia atakującym obejście polityki walidacji.

CVSS

9.8

EPSS

0.0%

Exploit

none

Vendor

Opis źródłowy (NVD)

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

deserialization Brak patcha

Źródła i daty

Źródło	Wartość
NVD – CVSS	9.8
CISA KEV (aktywnie wykorzystywane)	Nie
FIRST EPSS (prawdopodobieństwo exploita)	0.0%
Opublikowano (NVD)	2026-05-21 17:16:21 UTC
Ostatnia modyfikacja (NVD)	2026-05-21 19:16:53 UTC

Referencje

https://fory.apache.org/security/#cve-2026-48207-pyfory-reduceserializer-deserializationpolicy-bypass (security@apache.org)
http://www.openwall.com/lists/oss-security/2026/05/21/10 (af854a3a-2127-422b-91ae-364da2661108)