🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Insecure Deserialisation

Insecure deserialisation occurs when an application does not properly validate or sanitize untrusted input during the deserialization process, leading to arbitrary code execution and denial of service. Deserialization is the process of converting serialized data (e.g., from JSON, XML, or other formats) back into an object or data structure that can be used within a program.

Remediation

  • Where possible avoid using untrusted data in serialisation process.
  • Use safe libraries that segregate data from the code during deserialisation and perform contextual escaping.

Metadata

  • Severity: critical
  • Slug: insecure-deserialisation

CWEs

  • 502: Deserialization of Untrusted Data

OWASP

  • A03:2021: Injection
  • A8:2017: Insecure Deserialization

Available Labs

Open Python labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.