Skip to content

Commit b60ef27

Browse files
committed
1 parent 4cf49cf commit b60ef27

1 file changed

Lines changed: 22 additions & 1 deletion

File tree

advisories/unreviewed/2026/05/GHSA-m5gw-83w2-7749/GHSA-m5gw-83w2-7749.json

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,35 @@
66
"aliases": [
77
"CVE-2026-48207"
88
],
9+
"summary": "PyFory ReduceSerializer DeserializationPolicy bypass",
910
"details": "Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.\n\nThis issue affects Apache Fory: from before 1.0.0.\n\nMitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "pyfory"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0.13.0"
29+
},
30+
{
31+
"fixed": "1.0.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",

0 commit comments

Comments
 (0)