CVE-2025-61622CRITICAL 9.8EPSS p98.7%

CVE-2025-61622CVE-2025-61622

Description

Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An attacker can craft a data stream that selects pickle-fallback serializer during deserialization, leading to the execution of `pickle.loads`, which is vulnerable to remote code execution. Users are recommended to upgrade to pyfory version 0.12.3 or later, which has removed pickle fallback serializer and thus fixes this issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS49.53% probability of exploitation · percentile 98.7% · 2026-06-19T12:03:05Z
Published2025-10-01
Last modified2025-12-03

Underlying weaknesses· 1

CWE-502

References

  1. https://lists.apache.org/thread/vfn9hp9qt06db5yo1gmj3l114o3o2csd
  2. http://www.openwall.com/lists/oss-security/2025/09/29/3

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-48207
CVE
CVE-2026-50076
CVE
CVE-2026-31048
CVE
CVE-2025-63675
CVE
CVE-2025-69872
CVE
CVE-2025-46183
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.