CVE-2025-61622: 
Python vulnerability analysis and mitigation

A critical deserialization vulnerability was discovered in Apache Fory's Python module (pyfory) affecting versions 0.12.0 through 0.12.2, and legacy pyfury versions from 0.1.0 through 0.10.3. The vulnerability was disclosed on October 1, 2025, and assigned identifier CVE-2025-61622. The flaw exists in the deserialization of untrusted data, which could allow arbitrary code execution when an application processes pyfory serialized data from untrusted sources (NVD, Miggo).

The vulnerability stems from an unguarded pickle-based fallback mechanism used for deserializing object types that were not explicitly registered or supported. The core of the vulnerability lies in the Fory.handleunsupportedread method, implemented in both Python and Cython versions. The flaw received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (Miggo, NVD).

The vulnerability allows attackers to achieve arbitrary code execution by crafting a malicious data stream that forces the library to use the vulnerable pickle fallback serializer. This can lead to remote code execution through the execution of pickle.loads when processing untrusted serialized data (SecurityOnline, Miggo).

Users are strongly recommended to upgrade to pyfory version 0.12.3 or later, which has completely removed the pickle fallback serializer, thus eliminating the vulnerability. The patch addresses the issue by removing the unsafe deserialization path and updating the serializers to use safer, more explicit deserialization logic (NVD, Miggo).