CVE-2025-59328
CVE-2025-59328 is a medium-severity vulnerability in Apache Fory with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-502.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 1% (44th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-29218
- Weakness: CWE-502
- Affected product: Apache Fory
- Published:
- Last modified:
Description
A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users. Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software.
Frequently asked questions
- What is CVE-2025-59328?
- A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users. Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software.
- How severe is CVE-2025-59328?
- CVE-2025-59328 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2025-59328 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (44th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-59328?
- CVE-2025-59328 affects Apache Fory. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-59328?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-59328 have an EU (EUVD) identifier?
- Yes. CVE-2025-59328 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-29218.
- When was CVE-2025-59328 published?
- CVE-2025-59328 was published on 2025-09-15 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:apache:fory:*:*:*:*:*:*:*:*
More vulnerabilities in Apache Fory
- CVE-2026-48207 — Critical (CVSS 9.8): Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented…
- CVE-2025-61622 — Critical (CVSS 9.8): Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions…
- CVE-2026-50076 — Critical (CVSS 9.1): Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on…
All CVEs affecting Apache Fory →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →