CVE-2025-59328

Опубликовано: 15 сент. 2025

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users.

Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software.

Ссылки

https://fory.apache.org/security/
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/09/15/1

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:fory:*:*:*:*:*:*:*:*

Версия от 0.5.0 (включая) до 0.12.2 (исключая)

EPSS

Процентиль: 83%

0.01839

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-502

Связанные уязвимости

GHSA-5hmf-8wx5-4qq3

CVSS3: 6.5

github

5 месяцев назад

Apache Fory Deserialization of Untrusted Data vulnerability

BDU:2025-11414

CVSS3: 6.5

fstec

5 месяцев назад

Уязвимость фреймворка Apache Fory, связанная с недостатками механизма десериализации, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 83%

0.01839

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-502