PT-2025-39961 · Apache · Apache Fory

Bugbunny_Ai

·

Published

2025-09-30

·

Updated

2026-06-29

·

CVE-2025-61622

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions pyfory versions 0.12.0 through 0.12.2 pyfury versions 0.1.0 through 0.10.3
Description Deserialization of untrusted data in Python allows arbitrary code execution. An application is susceptible if it reads serialized data from untrusted sources. An attacker can craft a data stream that triggers the pickle-fallback serializer during deserialization, resulting in the execution of the pickle.loads() function, which enables remote code execution.
Recommendations Upgrade pyfory versions 0.12.0 through 0.12.2 to version 0.12.3 or later. Upgrade pyfury versions 0.1.0 through 0.10.3 to pyfory version 0.12.3 or later.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-61622
GHSA-538V-3WQ9-4H3R
PYSEC-2026-490
PYSEC-2026-491

Affected Products

Apache Fory