Insecure Deserialization
What is Insecure Deserialization?
Insecure DeserializationA vulnerability where an application deserialises untrusted data, letting attackers instantiate arbitrary objects and frequently achieve remote code execution.
When an application converts serialized data (Java/PHP/Python/.NET binary formats, YAML, or JSON with type metadata) back into objects, the deserialiser may invoke constructors, magic methods, or gadget chains. With untrusted input, attackers craft payloads that trigger dangerous behaviour during deserialisation — RCE, authentication bypass, file write, or DoS. Gadget chains in libraries such as Apache Commons Collections (Java), Pickle (Python), or .NET BinaryFormatter have caused critical incidents. Defences include refusing to deserialise untrusted data altogether, using formats without type-recovery (plain JSON with explicit schemas), signing serialized payloads, applying allow-lists of deserialisable types, and patching language runtimes.
● Examples
- 01
A Java app deserialising a session cookie with Commons Collections on the classpath, leading to RCE.
- 02
A Python service running pickle.loads on user-controlled bytes.
● Frequently asked questions
What is Insecure Deserialization?
A vulnerability where an application deserialises untrusted data, letting attackers instantiate arbitrary objects and frequently achieve remote code execution. It belongs to the Vulnerabilities category of cybersecurity.
What does Insecure Deserialization mean?
A vulnerability where an application deserialises untrusted data, letting attackers instantiate arbitrary objects and frequently achieve remote code execution.
How do you defend against Insecure Deserialization?
Defences for Insecure Deserialization typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Insecure Deserialization?
Common alternative names include: Unsafe deserialization, Object deserialization vulnerability.