Lide Wen

**Name of the Vulnerable Software and Affected Versions** Apache Fory versions prior to 1.0.0 **Description** Deserialization of untrusted data in Apache Fory PyFory occurs because the `ReduceSerializer` could bypass documented `DeserializationPolicy` validation hooks during reduce-state restoration and global-name resolution. An application is affected if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on `DeserializationPolicy` to restrict unsafe classes, functions, or module attributes. **Recommendations** Upgrade to version 1.0.0 or later.