CVE-2025-61622
Published: 01 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-61622 is a deserialization of untrusted data vulnerability (CWE-502) in the Python libraries pyfory versions 0.12.0 through 0.12.2 and legacy pyfury versions 0.1.0 through 0.10.3. It enables arbitrary code execution when an application deserializes pyfory serialized data from untrusted sources. Specifically, an attacker can craft a malicious data stream that forces the use of a pickle-fallback serializer during deserialization, triggering the execution of the insecure `pickle.loads` function.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Any remote attacker capable of supplying crafted serialized data to a vulnerable application can achieve arbitrary code execution on the target system, potentially leading to full compromise.
Advisories recommend upgrading to pyfory version 0.12.3 or later, which removes the pickle fallback serializer and resolves the issue. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/vfn9hp9qt06db5yo1gmj3l114o3o2csd and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2025/09/29/3.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables remote arbitrary code execution via crafted serialized data supplied over the network to vulnerable applications using pyfory/pyfury, directly mapping to exploitation of public-facing applications.