Serialized Object Found

Impact: High


Object serialization allows transferring complex data structures over channels like HTTP. But whenever there is a serialized object there would be a deserialization process in place. Object deserialization is prone to different vulnerabilities like command execution.


Change the application architecture and make it not dependent on object serialization from an untrusted source. Or at least use object deserialization where only primitive data types are acceptable. If you have to use object deserialization, make sure to implement integrity checks such as digital signatures on any serialized objects to prevent data tampering. Also, log any deserialization errors and monitor them.


Last updated on October 10, 2021

This issue is available in SmartScanner Professional

See Pricing