Insecure Deserialization

Impact: High


Insecure deserialization occurs when an application deserializes a user-supplied object string without checking its integrity. It allows attackers to manipulate the system state and execute remote commands.


Change the application architecture and make it not dependent on object serialization from an untrusted source. Or at least use object deserialization where only primitive data types are acceptable. If you have to use object deserialization, make sure to implement integrity checks such as digital signatures on any serialized objects to prevent data tampering. Also, log any deserialization errors and monitor them.


Last updated on October 10, 2021

This issue is available in SmartScanner Professional

See Pricing