SCA: security update for org.apache.fory:fory-core (GHSA-5hmf-8wx5-4qq3)

medium Tenable Cloud Security Plugin ID 435322

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue
stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially
crafted data payload that, when processed, consumes an excessive amount of CPU resources during the
deserialization process. This leads to CPU exhaustion, rendering the application or system using the
Apache Fory library unresponsive and unavailable to legitimate users. Users of Apache Fory are strongly
advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and
applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2
or later and release new versions of their software. (CVE-2025-59328)

See Also

https://github.com/advisories/GHSA-5hmf-8wx5-4qq3

Plugin Details

Severity: Medium

ID: 435322

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 9/16/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2025-59328

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/15/2025

Vulnerability Publication Date: 9/15/2025

Reference Information

CVE: CVE-2025-59328

cwe: CWE-502