CVE-2025-61622
📋 TL;DR
This vulnerability allows arbitrary code execution through deserialization of untrusted data in pyfory/pyfury libraries. Applications are affected if they process serialized data from untrusted sources. Attackers can craft malicious data streams that trigger pickle deserialization, leading to remote code execution.
💻 Affected Systems
- pyfory
- pyfury
📦 What is this software?
Fory by Apache
Fory by Apache
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the affected system, data exfiltration, and lateral movement within the network.
Likely Case
Arbitrary code execution with the privileges of the application using the vulnerable library, potentially leading to data theft, service disruption, or further exploitation.
If Mitigated
Limited impact if proper input validation and source control are implemented, though the vulnerability still exists in the codebase.
🎯 Exploit Status
The vulnerability leverages pickle deserialization which is well-known for RCE. Attackers need to provide malicious serialized data to the application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: pyfory 0.12.3 or later
Vendor Advisory: https://lists.apache.org/thread/vfn9hp9qt06db5yo1gmj3l114o3o2csd
Restart Required: No
Instructions:
1. Identify all applications using pyfory/pyfury. 2. Update pyfory to version 0.12.3 or later using pip: pip install --upgrade pyfory>=0.12.3. 3. Test applications for compatibility. 4. Deploy updated applications.
🔧 Temporary Workarounds
Input Validation and Source Control
allImplement strict input validation to only accept serialized data from trusted sources. Use allowlists for data sources.
Disable Pickle Fallback
allIf using pyfory, configure it to not use pickle fallback serializer (though this may break functionality).
🧯 If You Can't Patch
- Implement strict network controls to limit data sources to trusted origins only
- Deploy application-level firewalls or WAFs to inspect and block malicious serialized data patterns
🔍 How to Verify
Check if Vulnerable:
Check Python dependencies for pyfory versions 0.12.0-0.12.2 or pyfury versions 0.1.0-0.10.3Check Version:
pip show pyfory | grep VersionVerify Fix Applied:
Verify pyfory version is 0.12.3 or later, or pyfury is not present in dependencies📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from Python applications
- Errors related to pickle deserialization
- Unexpected network connections from Python processes
Network Indicators:
- Inbound connections delivering serialized data to vulnerable applications
- Outbound connections from Python processes to unexpected destinations
SIEM Query:
source="application.logs" AND ("pickle.loads" OR "pyfory" OR "pyfury") AND (process_execution OR network_connection)