CVE-2025-59328

CVE-2025-59328 is a medium-severity vulnerability in Apache Fory with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-502.

Key facts

Description

A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users. Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software.

Frequently asked questions

What is CVE-2025-59328?
A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users. Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software.
How severe is CVE-2025-59328?
CVE-2025-59328 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2025-59328 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (44th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-59328?
CVE-2025-59328 affects Apache Fory. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-59328?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-59328 have an EU (EUVD) identifier?
Yes. CVE-2025-59328 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-29218.
When was CVE-2025-59328 published?
CVE-2025-59328 was published on 2025-09-15 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Apache Fory

All CVEs affecting Apache Fory →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →