deserialization
Safeguard articles tagged "deserialization" — guides, analysis, and best practices for software supply chain and application security.
48 articles
Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization
One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.
The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection
Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.
Recurring vulnerability patterns in the PyPI ecosystem
PyYAML shipped two rounds of deserialization fixes in under two years — CVE-2017-18342 and CVE-2020-14343 — because the underlying pattern kept resurfacing.
Inside CVE-2025-55182: the React Server Components RCE and how to defend against it
A CVSS 10.0 pre-auth RCE in React Server Components, exploited within 48 hours of disclosure — how the deserialization flaw works and how to mitigate it.
PyYAML Security Guide (2026)
PyYAML is the default YAML parser for Python — and its history of arbitrary-code-execution CVEs from unsafe loading makes yaml.load() one of the most dangerous calls in the language.
Python code injection: eval, exec, and pickle explained
eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.
CTF writeup patterns: serialization and cryptographic puzzles, decoded
CVE-2013-0156 let attackers RCE Rails by feeding YAML into a parameter parser — the same insecure-deserialization pattern CTF players train on every weekend.
Log4Shell and Spring4Shell, years later: why the same bug keeps coming back
CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.
PHP code security fundamentals: injection, deserialization, and file inclusion
PHP still powers over 70% of server-side websites, and its three oldest vulnerability classes — injection, deserialization, and file inclusion — remain the most common findings in 2026.
CVE-2022-1471: Inside the SnakeYaml Deserialization RCE
CVE-2022-1471 scored 9.8 CRITICAL under NIST's CVSS calculation — a single YAML tag could hand attackers remote code execution in any Java app parsing untrusted input.
The most common Spring Boot security misconfigurations, and how to fix them
CVE-2026-40976 let anonymous users hit /actuator/env and /actuator/heapdump on default Spring Boot 4 filter chains, CVSS 9.1 — here's how to actually harden Spring Boot.
Unsafe Deserialization in Swift: NSCoding, Codable, and Safer Patterns
Two 2019 iOS zero-click bugs, CVE-2019-8646 and CVE-2019-8647, both traced back to NSKeyedUnarchiver — a reminder that Swift's Objective-C legacy still hides deserialization risk.