cbcvebase.
CVE-2025-61622
published 2025-10-01

CVE-2025-61622: Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
41.25%
98.5th percentile
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
apachefory0.1.0 – 0.10.3
apachefory0.12.0 – 0.12.2
apache_software_foundationapache_fory0.1.0 – 0.10.3
apache_software_foundationapache_fory0.12.0 – 0.12.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.