CVE-2025-59328 – This CVE describes a denial-of-service vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-59328?

CVE-2025-59328 has a CVSS score of 6.5 (MEDIUM). This CVE describes a denial-of-service vulnerability in Apache Fory caused by insecure deserialization of untrusted data. Remote attackers can send specially crafted payloads that cause excessive CPU consumption during deserialization, making the application unresponsive. All users of Apache Fory versions before 0.12.2 are affected.

📋 TL;DR

This CVE describes a denial-of-service vulnerability in Apache Fory caused by insecure deserialization of untrusted data. Remote attackers can send specially crafted payloads that cause excessive CPU consumption during deserialization, making the application unresponsive. All users of Apache Fory versions before 0.12.2 are affected.

💻 Affected Systems

Products:

Apache Fory

Versions: All versions before 0.12.2

Operating Systems: All platforms running Apache Fory

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or library using Apache Fory for data processing is vulnerable if it accepts external input.

📦 What is this software?

Fory by Apache

View all CVEs affecting Fory →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage with prolonged downtime as CPU resources are exhausted, potentially affecting multiple systems if load balancers distribute malicious traffic.

🟠

Likely Case

Application becomes unresponsive to legitimate users, requiring manual intervention to restart services and clear the attack traffic.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated dependencies preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires crafting specific payloads but no authentication needed if vulnerable endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.2 or later

Vendor Advisory: https://fory.apache.org/security/

Restart Required: No

Instructions:

1. Update Apache Fory dependency to version 0.12.2 or later. 2. Rebuild and redeploy applications using the updated library. 3. Test functionality to ensure compatibility.

🔧 Temporary Workarounds

Input validation and size limits

all

Implement strict input validation and size limits on data payloads before deserialization

Rate limiting

all

Implement rate limiting on endpoints that accept data for deserialization

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems from untrusted networks
Deploy WAF rules to block suspicious payload patterns and size anomalies

🔍 How to Verify

Check if Vulnerable:

Check Apache Fory version in your application dependencies or package manager

Check Version:

Check your dependency management file (pom.xml, package.json, etc.) or run: grep -i 'fory' your-dependency-file

Verify Fix Applied:

Verify Apache Fory version is 0.12.2 or later and test with normal payloads

📡 Detection & Monitoring

Log Indicators:

Unusually high CPU usage spikes
Increased error rates in deserialization functions
Large incoming payload sizes

Network Indicators:

Multiple large payloads from single source IPs
Abnormal request patterns to deserialization endpoints

SIEM Query:

source="apache_logs" AND (uri="*deserialize*" OR uri="*process*") AND bytes > 1000000

📊 Metadata

CVE ID: CVE-2025-59328

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-502

EPSS Score: 2.35% exploit probability (84.6th percentile)

Published: September 15, 2025

Last Updated: November 4, 2025

🔗 References

https://fory.apache.org/security/ Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/09/15/1

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59328, you might also want to check these: