CVE-2025-59328: 
Java vulnerability analysis and mitigation

CVE-2025-59328 is a vulnerability discovered in Apache Fory that was disclosed on September 15, 2025. The vulnerability affects Apache Fory versions from 0.5.0 up to (excluding) 0.12.2. This security issue allows remote attackers to cause a Denial of Service (DoS) through insecure deserialization of untrusted data. The vulnerability was reported by r00t4dm of meituan security (NVD, Apache Advisory).

The vulnerability stems from insecure deserialization of untrusted data (CWE-502). An attacker can exploit this by supplying a large, specially crafted data payload that, when processed, consumes excessive CPU resources during the deserialization process. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (Apache Advisory).

Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software (Apache Advisory).