Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN539
_____________________________________________________________________

DATE                : 22/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Fory versions prior to
                                        1.0.0.

=====================================================================
https://lists.apache.org/thread/rxhr96glbxcpt0wzk35go7cqbv56jr1f
_____________________________________________________________________

CVE-2026-48207: Apache Fory: PyFory ReduceSerializer Incomplete
Policy Enforcement

Severity: important 

Affected versions:

- Apache Fory (pyfory) 0.13.0 before 1.0.0

Description:

Deserialization of untrusted data in Apache Fory PyFory. PyFory's
ReduceSerializer could bypass documented DeserializationPolicy
validation hooks during reduce-state restoration and global-name
resolution. An application is vulnerable if it deserializes
attacker-controlled data using PyFory Python-native mode with strict
mode disabled and relies on DeserializationPolicy to restrict unsafe
classes, functions, or module attributes.

This issue affects Apache Fory: from before 1.0.0.

Mitigation: Users of Apache Fory are recommended to upgrade to version
1.0.0 or later, which enforces DeserializationPolicy validation for
the affected ReduceSerializer paths and thus fixes this issue.

Credit:

Lide Wen (reporter)

References:

https://fory.apache.org/security/#cve-2026-48207-pyfory-reduceserializer-deserializationpolicy-bypass
https://fory.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-48207


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================