VDB
EN
CRITICAL 9.8

GHSA-m5gw-83w2-7749

Apache Fory PyFory Deserialization of Untrusted Data

상세

Fory PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.

This issue affects Apache Fory: from before 1.0.0.

Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / pyfory
최초 영향 버전: 0.13.0 수정 버전: 1.0.0
수정 pip install --upgrade 'pyfory>=1.0.0'

참고