Insecure Deserialization

Also known as: Unsafe deserialization, Object deserialization vulnerability

A vulnerability where an application deserialises untrusted data, letting attackers instantiate arbitrary objects and frequently achieve remote code execution.

When an application converts serialized data (Java/PHP/Python/.NET binary formats, YAML, or JSON with type metadata) back into objects, the deserialiser may invoke constructors, magic methods, or gadget chains. With untrusted input, attackers craft payloads that trigger dangerous behaviour during deserialisation — RCE, authentication bypass, file write, or DoS. Gadget chains in libraries such as Apache Commons Collections (Java), Pickle (Python), or .NET BinaryFormatter have caused critical incidents. Defences include refusing to deserialise untrusted data altogether, using formats without type-recovery (plain JSON with explicit schemas), signing serialized payloads, applying allow-lists of deserialisable types, and patching language runtimes.

Examples

A Java app deserialising a session cookie with Commons Collections on the classpath, leading to RCE.
A Python service running pickle.loads on user-controlled bytes.

Insecure Deserialization

Examples

Related terms

Prototype Pollution

Mass Assignment

Remote Access Trojan (RAT)

Command Injection

Broken Access Control

OWASP Top 10

Definition

Examples

Related terms

Prototype Pollution

Mass Assignment

Remote Access Trojan (RAT)

Command Injection

Broken Access Control

OWASP Top 10