¡¾·ì϶¹«¸æ¡¿Apache Fory PyFory·´ÐòÁл¯Õ½ÊõÈÆ¹ý·ì϶(CVE-2026-48207)

°ä²¼¹¦·ò 2026-05-28

Ò»¡¢·ì϶¸ÅÊö



0528·ì϶¸ÅÊö.png


Apache ForyÊÇÒ»¿î¸ß»úÄÜ¿ç˵»°ÐòÁл¯Óë·´ÐòÁл¯¿ò¼Ü £¬Ö§³ÖJava¡¢PythonµÈ¶àÖÖ˵»°»·¾³ £¬Ö¼ÔÚʵÏÖµÍÑÓ³¤¡¢¸ßÍÌ͵ÄÊý¾Ý»¥»»Óë¶ÔÏó´«Êä¡£PyForyΪÆäPythonʵÏÖ×é¼þ £¬Ö§³ÖPython-native¶ÔÏóÐòÁл¯ £¬¿í·ºÀûÓÃÓÚÉ¢²¼Ê½ÍÆËã¡¢»º´æ¡¢ÐÂÎÅ´«Êä¼°Êý¾Ý´¦Öõȳ¡¾°¡£


2026Äê5ÔÂ28ÈÕ £¬28Ȧ°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄ£¨VSRC£©¼à²âµ½Apache Fory PyFory·´ÐòÁл¯Õ½ÊõÈÆ¹ý·ì϶¡£ÓÉÓÚPyForyÔÚPython-nativeģʽÏ £¬ReduceSerializerÔÚreduce-state¸´Ô­¼°È«¾ÖÃû³Æ½âÎö¹ý³ÌÖÐδÆëȫִÐÐDeserializationPolicyУÑéÂß¼­ £¬µ¼Ö¹¥»÷Õ߿ɻú¹Ø¶ñÒâÐòÁл¯Êý¾ÝÈÆ¹ý°²È«Õ½ÊõÏÞ¶È¡£µ±ÀûÓÃÆôÓ÷ÇÑϸñģʽ²¢·´ÐòÁл¯¹¥»÷Õ߿ɿØÊý¾Ýʱ £¬¹¥»÷Õß¿ÉÄÜŲÓÃΣÏÕÀà¡¢º¯Êý»òÄ£¿éÊôÐÔ £¬½ø¶øÖ´ÐÐËÁÒâ´úÂë¡¢»ñÈ¡Ãô¸ÐÊý¾Ý»ò½ÚÔìÀûÓùý³Ì¡£¸Ã·ì϶¿ÉÄܵ¼ÖÂÒµÎñϵͳÔâ·êÔ¶³Ì¹¥»÷ £¬²¢´øÀ´Êý¾Ýй¶¡¢ÒµÎñÖжϼ°ºÏ¹æ·çÏÕ¡£



¶þ¡¢Ó°ÏìÁìÓò



0.13.0 <= Apache Fory(pyfory) < 1.0.0



Èý¡¢°²È«´ëÊ©



3.1 Éý¼¶°æ±¾


¹Ù·½ÒѰ䲼½¨¸´²¹¶¡ £¬ÒÔ½¨¸´¸Ã·ì϶¡£

Apache Fory(pyfory) >= 1.0.0

ÏÂÔØÁ´½Ó£º

https://fory.apache.org/download/


3.2 һʱ´ëÊ©


ÔÝÎÞ¡£


3.3 ͨÓý¨Òé


¶¨ÆÚ¸üÐÂϵͳ²¹¶¡ £¬Ï÷¼õϵͳ·ì϶ £¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ¡£

¼ÓǿϵͳºÍÍøÂçµÄ½Ó¼û½ÚÔì £¬Åú¸Ä·À»ðǽսÊõ £¬¹Ø¹Ø·Ç±ØÒªµÄÀûÓö˿ڻò·þÎñ £¬Ï÷¼õ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Â¶³öµ½¹«Íø £¬Ï÷¼õ¹¥»÷Ãæ¡£

ʹÓÃÆóÒµ¼¶°²È«²úÆ· £¬ÌáÉýÆóÒµµÄÍøÂ簲ȫ»úÄÜ¡£

¼ÓǿϵͳÓû§ºÍȨÏÞÖÎÀí £¬ÆôÓöà³É·ÖÈÏÖ¤»úÔìºÍ×îÓ×ȨÏÞ×¼Ôò £¬Óû§ºÍÈí¼þȨÏÞӦά³ÖÔÚ×îµÍÏÞ¶È¡£

ÆôÓÃÇ¿ÃÜÂëÕ½Êõ²¢ÉèÖÃΪ¶¨ÆÚÅú¸Ä¡£


3.4 ²Î¿¼Á´½Ó


https://nvd.nist.gov/vuln/detail/CVE-2026-48207/

https://www.openwall.com/lists/oss-security/2026/05/21/10

https://fory.apache.org/security/cve-2026-48207-pyfory-reduceserializer-deserializationpolicy-bypass