CVE-2025-59328

A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users. Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://fory.apache.org/security/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:fory:*:*:*:*:*:*:*:*

History

23 Sep 2025, 15:27

Type	Values Removed	Values Added
First Time		Apache Apache fory
References	~~() https://fory.apache.org/security/ -~~	() https://fory.apache.org/security/ - Vendor Advisory
CPE		cpe:2.3:a:apache:fory::::::::

15 Sep 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-15 17:15

Updated : 2025-09-23 15:27

NVD link : CVE-2025-59328

Mitre link : CVE-2025-59328

CVE.ORG link : CVE-2025-59328

JSON object : View

Products Affected

apache

fory

CWE

CWE-502

Deserialization of Untrusted Data

6.5 /10