Please note that the affected version is 0.5.0 through 0.12.1. The version 0.12.1 is included too.
Kind regards, Shawn Yang On Mon, Sep 15, 2025 at 10:27 AM Chaokun Yang <[email protected]> wrote: > > Severity: moderate > > Affected versions: > > - Apache Fory (org.apache.fory:fory-core) 0.5.0 before 0.12.1 > > Description: > > A vulnerability in Apache Fory allows a remote attacker to cause a Denial of > Service (DoS). The issue stems from the insecure deserialization of untrusted > data. An attacker can supply a large, specially crafted data payload that, > when processed, consumes an excessive amount of CPU resources during the > deserialization process. This leads to CPU exhaustion, rendering the > application or system using the Apache Fory library unresponsive and > unavailable to legitimate users. > > Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or > later to mitigate this vulnerability. Developers of libraries and > applications that depend on Apache Fory should update their dependency > requirements to Apache Fory 0.12.2 or later and release new versions of their > software. > > Credit: > > r00t4dm of meituan security (reporter) > > References: > > https://fory.apache.org > https://www.cve.org/CVERecord?id=CVE-2025-59328 >
