CVE-2026-48207
CriticalSummary
Apache Fory has a vulnerability related to the deserialization of untrusted data in ReduceSerializer, which could bypass DeserializationPolicy validation during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled.
Risk Assessment
Organizations may be exposed to attacks that exploit this vulnerability to inject unsafe classes, functions, or module attributes, potentially leading to unauthorized access or data corruption.
Recommendation
It is recommended to upgrade Apache Fory to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
Original NVD description (English source)
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

