CVE-2026-48207— Apache Fory 代码问题漏洞

Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

N/A

可信数据的反序列化

Apache Fory 代码问题漏洞

Apache Fory是Apache基金会的一个序列化框架。 Apache Fory 1.0.0之前版本存在代码问题漏洞，该漏洞源于PyFory的ReduceSerializer在还原状态恢复和全局名称解析期间可能绕过DeserializationPolicy验证钩子，可能导致反序列化攻击者控制的数据时，应用程序依赖DeserializationPolicy限制不安全类、函数或模块属性时存在风险。

N/A

N/A