6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59328

GHSA ID

GHSA-5hmf-8wx5-4qq3

EPSS Score

0.40835%

CWE

CWE-502

Published

9/15/2025

Updated

9/15/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59328

CVE-2025-59328: Apache Fory Deserialization of Untrusted Data vulnerability

A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users.

Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59328

GHSA ID

GHSA-5hmf-8wx5-4qq3

EPSS Score

0.40835%

CWE

CWE-502

Published

9/15/2025

Updated

9/15/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.fory:fory-core	maven	< 0.12.2	0.12.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability in Apache Fory (CVE-2025-59328) is a Denial of Service (DoS) caused by the insecure deserialization of untrusted data. An attacker can provide a specially crafted, deeply nested object graph. When the Fory library attempts to deserialize this data, it enters a deep recursion without any limits on the nesting depth. This leads to excessive CPU and memory consumption, ultimately causing the application to become unresponsive.

The security patch mitigates this by introducing a configurable maximum deserialization depth (maxDepth), which defaults to 50. The core deserialization logic was updated to track the current depth and throw an InsecureException if this limit is exceeded, thus preventing the DoS attack.

The identified vulnerable functions are the key methods involved in the recursive deserialization process for different data types (general objects, collections, maps). Before the patch, these functions lacked the necessary depth checks. The provided patch evidence clearly shows the addition of the incReadDepth() call, which contains the new security check, directly within these functions or their closely-related helpers. Any deserialization operation that involves nested data structures would pass through these functions, making them the focal point of the vulnerability.

Vulnerable functions

org.apache.fory.Fory.readData

java/fory-core/src/main/java/org/apache/fory/Fory.java

This core deserialization method was modified to check the object graph depth. Before the patch, it would recursively call serializers without any depth limit, allowing a malicious payload with deep nesting to cause a Denial of Service through resource exhaustion.

org.apache.fory.serializer.collection.CollectionLikeSerializer.read

java/fory-core/src/main/java/org/apache/fory/serializer/collection/CollectionLikeSerializer.java

This method serializes and deserializes collection-like objects. The `read` method, through its helper `readSameTypeElements`, recursively deserializes elements. The lack of a depth check allowed for a DoS attack using deeply nested collections. The patch adds a depth check (`incReadDepth`) to mitigate this.

org.apache.fory.serializer.collection.MapLikeSerializer.read

java/fory-core/src/main/java/org/apache/fory/serializer/collection/MapLikeSerializer.java

This method is responsible for deserializing map-like objects. Its `read` method uses helpers like `readJavaChunk` to process map entries recursively. The vulnerability existed because there was no limit on the nesting depth of maps, leading to potential DoS. The patch introduces depth checks in these helper methods.

org.apache.fory.serializer.AbstractObjectSerializer.read

java/fory-core/src/main/java/org/apache/fory/serializer/AbstractObjectSerializer.java

This abstract class is the base for all object serializers. Its `read` method's implementations deserialize object fields. The helper method `readFinalObjectFieldValue` is used to read field values, which can be nested objects. The vulnerability was that this process was not depth-limited. The patch adds a depth check via `binding.incReadDepth()`.

org.apache.fory.Fory.xreadNonRef

java/fory-core/src/main/java/org/apache/fory/Fory.java

This method is part of Fory's cross-language deserialization mechanism. It was vulnerable to the same unbounded recursion as the Java-specific deserialization methods. The patch replaces a simple depth increment with a call to `incReadDepth()`, which enforces the maximum depth limit.

WAF Protection Rules

WAF Rule

* vuln*r**ility in *p**** *ory *llows * r*mot* *tt**k*r to **us* * **ni*l o* S*rvi** (*oS). T** issu* st*ms *rom t** ins**ur* **s*ri*liz*tion o* untrust** **t*. *n *tt**k*r **n supply * l*r**, sp**i*lly *r**t** **t* p*ylo** t**t, w**n pro**ss**, *ons

Reasoning

T** vuln*r**ility in *p**** *ory (*V*-****-*****) is * **ni*l o* S*rvi** (*oS) **us** *y t** ins**ur* **s*ri*liz*tion o* untrust** **t*. *n *tt**k*r **n provi** * sp**i*lly *r**t**, ***ply n*st** o*j**t *r*p*. W**n t** *ory li*r*ry *tt*mpts to **s*ri

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-59328: Apache Fory Deserialization of Untrusted Data vulnerability

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI