Description
Object serialization allows transferring complex data structures over channels like HTTP. However, the presence of a serialized object within the application indicates potential vulnerabilities related to object deserialization. Deserialization of objects from untrusted sources can lead to various security risks, including remote code execution and data tampering.
Recommendation
To address the risk associated with serialized objects:
- Evaluate the necessity of deserializing objects from untrusted sources and minimize such dependencies wherever possible.
- Implement strict validation mechanisms to ensure that only trusted and properly formatted serialized objects are accepted.
- Consider using safer alternatives to object serialization, such as JSON or XML, which offer better security controls.
- Employ runtime protections and monitor for any anomalous deserialization activities that could indicate exploitation attempts.
References
Related Issues
- Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify - Vulnerability
- Insecure Direct Object Reference (IDOR) - Vulnerability
- DOM Clobbering Gadget found in Rspack's AutoPublicPathRuntimeModule that leads to XSS - Vulnerability
- jquery-plugin-query-object contains prototype pollution vulnerability - CVE-2021-20083
You might also like:
- Tags:
- Deserialization
Anything's wrong? Let us know Last updated on May 13, 2024