AI description
CVE-2025-61622 describes a deserialization of untrusted data vulnerability affecting Apache Pyfory (pyfory versions 0.12.0 through 0.12.2) and legacy Pyfury (versions 0.1.0 through 0.10.3). This flaw allows for arbitrary code execution if an application processes serialized data from untrusted sources. The vulnerability stems from an unguarded `pickle-fallback serializer`. An attacker can exploit this by crafting a malicious data stream that, when deserialized, forces the application to use `pickle.loads`, which is susceptible to remote code execution. Users are advised to upgrade to Pyfory version 0.12.3 or later, as this version addresses the issue by removing the problematic `pickle fallback serializer`.
- Description
- Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- fory
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@apache.org
- CWE-502
- Hype score
- Not currently trending
تحذير من ثغرة أمنية خطيرة في PyFory: CVE-2025-61622. يتعلق الأمر بإلغاء تسلسل Pickle غير آمن يمكن أن يؤدي إلى تنفيذ الكود عن بُعد. A serious security vulnerability, CVE-2025-61622, has been identified
@fad_777
31 May 2026
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61622: PyFory – Insecure Pickle Deserialization to Remote Code Execution https://t.co/g8Ihfz9WxX
@0x0Huda
30 May 2026
285 Impressions
0 Retweets
6 Likes
2 Bookmarks
0 Replies
0 Quotes
CVE-2025-61622 is an unauthenticated remote code execution in PyFory (formerly PyFury) 0.12.0–0.12.2 reachable through the library’s fallback path for unregistered types: "handle_unsupported_read()" instantiates a bare "pickle.Unpickler" with no "find_class" override and call
@bytecodevm
30 May 2026
97 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-61622 is an unauthenticated remote code execution in PyFory (formerly PyFury) 0.12.0–0.12.2 reachable through the library’s fallback path for unregistered types: "handle_unsupported_read()" instantiates a bare "pickle.Unpickler" with no "find_class" override and call
@bytecodevm
30 May 2026
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61622: PyFory – Insecure Pickle Deserialization to Remote Code Execution https://t.co/jjaV5Eg0AI
@Dinosn
28 May 2026
1118 Impressions
4 Retweets
11 Likes
2 Bookmarks
1 Reply
0 Quotes
66 CVE-2025-58434 CVE-2025-59057 CVE-2025-59790 CVE-2025-59792 CVE-2025-61622 CVE-2025-61686 CVE-2025-64756 CVE-2026-21884 CVE-2026-22807 CVE-2026-23630 CVE-2026-27471 CVE-2026-27806 CVE-2026-27955 CVE-2026-28215 CVE-2026-28217 CVE-2026-28351 CVE-2026-28361 CVE-2026-28384
@BugBunny_ai
14 May 2026
23006 Impressions
42 Retweets
319 Likes
117 Bookmarks
12 Replies
3 Quotes
#VulnerabilityReport #ApacheFory Critical RCE Flaw in Apache Fory’s Python Module (CVE-2025-61622) https://t.co/jZ21dCNKeA
@Komodosec
4 Nov 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache Fory(pyfory/pyfury)にクリティカルな脆弱性(CVE-2025-61622) https://t.co/kJeKgOwAAQ #セキュリティ対策Lab #セキュリティ #Security
@securityLab_jp
2 Oct 2025
81 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ZERO-DAY DANGER: Unauthenticated RCE Flaw in Apache Fory Python Module (CVE-2025-61622) Allows Full System Takeover . Read the full report on - https://t.co/sSgT48Gk0J https://t.co/h8rLUveQEE
@cyberbivash
1 Oct 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61622 Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code e… https://t.co/di7Fv1n83H
@CVEnew
1 Oct 2025
294 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61622: Apache Fory: Python RCE via unguarded pickle fallback serializer in pyfory https://t.co/VOyP24gXI6 Severity: critical Deserialization of untrusted data [...] allows arbitrary code execution
@oss_security
30 Sept 2025
103 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61622 CVE-2025-61622 https://t.co/3p9gvPXQVI
@VulmonFeeds
29 Sept 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:fory:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6CDF1C62-3007-4137-AFBA-9EBB78508E22",
"versionEndIncluding": "0.10.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:fory:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2E53C07-98C5-4EC3-985C-7C635D7A3CD8",
"versionEndIncluding": "0.12.2",
"versionStartIncluding": "0.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]