Apache Fory
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Fory.
By the Year
In 2026 there have been 2 vulnerabilities in Apache Fory with an average score of 9.5 out of ten. Last year, in 2025 Fory had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Fory in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.30.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 9.45 |
| 2025 | 2 | 8.15 |
It may take a day or so for new Fory vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Fory Security Vulnerabilities
Apache Fory-core Java SDK <1.1.0: Deserialization of Untrusted Data
CVE-2026-50076
9.1 - Critical
- June 04, 2026
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.
Marshaling, Unmarshaling
Apache Fory <1.0.0: Untrusted Deserialization via ReduceSerializer
CVE-2026-48207
9.8 - Critical
- May 21, 2026
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
Marshaling, Unmarshaling
Arbitrary Code Exec via Pickle Fallback in Python pyfury/pyfory 0.12.0-0.12.2
CVE-2025-61622
9.8 - Critical
- October 01, 2025
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.
Marshaling, Unmarshaling
Apache Fory <0.12.2: DoS via Insecure Deserialization
CVE-2025-59328
6.5 - Medium
- September 15, 2025
A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users. Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software.
Marshaling, Unmarshaling
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Fory or by Apache? Click the Watch button to subscribe.
