Skip to content

[GHSA-m5gw-83w2-7749] Deserialization of untrusted data in Apache Fory PyFory....#7797

Merged
advisory-database[bot] merged 1 commit into
HGWAYEN/advisory-improvement-7797from
HGWAYEN-GHSA-m5gw-83w2-7749
Jun 30, 2026
Merged

[GHSA-m5gw-83w2-7749] Deserialization of untrusted data in Apache Fory PyFory....#7797
advisory-database[bot] merged 1 commit into
HGWAYEN/advisory-improvement-7797from
HGWAYEN-GHSA-m5gw-83w2-7749

Conversation

@HGWAYEN

@HGWAYEN HGWAYEN commented May 22, 2026

Copy link
Copy Markdown

Updates

  • Affected products
  • Summary

Comments
Provide additional information about the vulnerable component. (Section on Affected Products)

Copilot AI review requested due to automatic review settings May 22, 2026 11:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds missing metadata to the GHSA advisory for CVE-2026-48207 by providing a short summary and specifying the affected PyPI package/version range.

Changes:

  • Added a summary field for quick advisory identification.
  • Populated affected with the PyPI package pyfory and an introduced/fixed version range.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

"CVE-2026-48207"
],
"summary": "PyFory ReduceSerializer DeserializationPolicy bypass",
"details": "Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.\n\nThis issue affects Apache Fory: from before 1.0.0.\n\nMitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.",
Comment on lines +28 to +31
"introduced": "0.13.0"
},
{
"fixed": "1.0.0"
@github-actions github-actions Bot changed the base branch from main to HGWAYEN/advisory-improvement-7797 May 22, 2026 11:37
@advisory-database advisory-database Bot merged commit 4f1fbec into HGWAYEN/advisory-improvement-7797 Jun 30, 2026
4 checks passed
@advisory-database

Copy link
Copy Markdown
Contributor

Hi @HGWAYEN! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database Bot deleted the HGWAYEN-GHSA-m5gw-83w2-7749 branch June 30, 2026 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants