Apache Fory PyFory Deserialization of Untrusted Data
Critical severity
GitHub Reviewed
Published
May 21, 2026
to the GitHub Advisory Database
•
Updated Jun 30, 2026
Description
Published by the National Vulnerability Database
May 21, 2026
Published to the GitHub Advisory Database
May 21, 2026
Reviewed
Jun 30, 2026
Last updated
Jun 30, 2026
Fory PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.
This issue affects Apache Fory: from before 1.0.0.
Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
References