Apache Fury/PyFury Deserialization Bypass and RCE Vulnerabilities (CVE-2026-50076/48207) Advisory

Vulnerability Overview Apache Fury contains multiple security vulnerabilities, primarily involving bypasses of deserialization checks and denial of service (DoS) issues. Affected Versions 1. CVE-2026-50076: Apache Fury: Java ReplaceResolverSerializerizer Deserialization Check Bypass - Severity: Important - Affected Versions: Apache Fury (org.apache.fury:fury-core) prior to version 1.1.0 - Description: On Java/VM platforms, Apache Fury fury-core Java SDK versions prior to 1.1.0 allow remote attackers to bypass class registration, TypeChecker, and DisallowedList checks by crafting malicious Fury serialization data, thereby invoking the / hooks present in the classpath. - Remediation: Users are advised to upgrade to version 1.1.0 or later, which resolves this issue. 2. CVE-2026-48207: PyFury ReduceSerializer DeserializationPolicy Bypass - Severity: Important - Affected Versions: PyFury 0.13.0 to 0.17.0 - Description: In PyFury versions 0.13.0 to 0.17.0, untrusted data deserialization can bypass the documented validation. A vulnerability exists when applications deserialize controlled data and rely on custom to restrict unsafe classes, functions, or module attributes. - Remediation: It is recommended to upgrade to PyFury 1.0.0 or later, which consistently enforces validation. Libraries and applications depending on Apache Fury should update their dependency requirements and release patched versions. 3. CVE-2025-61822: Python RCE via unguarded pickle fallback serializer in PyFury - Severity: Important - Affected Versions: PyFury - Description: Not explicitly detailed, but involves Python Remote Code Execution (RCE) via an unprotected pickle fallback serializer. 4. CVE-2025-59328: Denial of Service (DoS) due to Deserialization of Untrusted malicious large Data - Severity: Important - Affected Versions: PyFury - Description: Not explicitly detailed, but involves Denial of Service (DoS) caused by the deserialization of untrusted large data. Remediation Java Version: Upgrade to Apache Fury 1.1.0 or later. Python Version: Upgrade to PyFury 1.0.0 or later. POC Code or Exploit Code No specific POC code or exploit code is provided on the page.

Goal Reached Thanks to every supporter — we hit 100%!

Apache Fury/PyFury Deserialization Bypass and RCE Vulnerabilities (CVE-2026-50076/48207) Advisory