Deserialization Vulnerability in Apache Fory Product by Apache
CVE-2026-48207
9.8CRITICAL
What is CVE-2026-48207?
A vulnerability exists in Apache Fory's ReduceSerializer due to improper handling of deserialization, which could allow an attacker to bypass DeserializationPolicy validation hooks during key operations such as state restoration and global-name resolution. This risk arises when deserializing data from untrusted sources in Python-native mode with strict mode turned off. To mitigate potential exploits, users must upgrade to version 1.0.0 or later, which integrates enhanced validation measures to protect against this issue.
Affected Version(s)
Apache Fory 0.13.0 < 1.0.0