Safeguard
Tag

deserialization

Safeguard articles tagged "deserialization" — guides, analysis, and best practices for software supply chain and application security.

48 articles

Application Security

Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization

One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.

Jul 16, 20265 min read
Open Source Security

The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection

Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.

Jul 14, 20266 min read
Open Source Security

Recurring vulnerability patterns in the PyPI ecosystem

PyYAML shipped two rounds of deserialization fixes in under two years — CVE-2017-18342 and CVE-2020-14343 — because the underlying pattern kept resurfacing.

Jul 14, 20266 min read
Application Security

Inside CVE-2025-55182: the React Server Components RCE and how to defend against it

A CVSS 10.0 pre-auth RCE in React Server Components, exploited within 48 hours of disclosure — how the deserialization flaw works and how to mitigate it.

Jul 9, 20266 min read
Security Guides

PyYAML Security Guide (2026)

PyYAML is the default YAML parser for Python — and its history of arbitrary-code-execution CVEs from unsafe loading makes yaml.load() one of the most dangerous calls in the language.

Jul 8, 20265 min read
Application Security

Python code injection: eval, exec, and pickle explained

eval(), exec(), and pickle.load() can each hand an attacker a Python interpreter — CVE-2020-1747 shows how one unsafe deserialization call became a real RCE.

Jul 8, 20265 min read
Application Security

CTF writeup patterns: serialization and cryptographic puzzles, decoded

CVE-2013-0156 let attackers RCE Rails by feeding YAML into a parameter parser — the same insecure-deserialization pattern CTF players train on every weekend.

Jul 8, 20267 min read
Vulnerability Management

Log4Shell and Spring4Shell, years later: why the same bug keeps coming back

CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.

Jul 8, 20266 min read
Application Security

PHP code security fundamentals: injection, deserialization, and file inclusion

PHP still powers over 70% of server-side websites, and its three oldest vulnerability classes — injection, deserialization, and file inclusion — remain the most common findings in 2026.

Jul 8, 20267 min read
Vulnerability Management

CVE-2022-1471: Inside the SnakeYaml Deserialization RCE

CVE-2022-1471 scored 9.8 CRITICAL under NIST's CVSS calculation — a single YAML tag could hand attackers remote code execution in any Java app parsing untrusted input.

Jul 8, 20265 min read
Application Security

The most common Spring Boot security misconfigurations, and how to fix them

CVE-2026-40976 let anonymous users hit /actuator/env and /actuator/heapdump on default Spring Boot 4 filter chains, CVSS 9.1 — here's how to actually harden Spring Boot.

Jul 8, 20266 min read
Application Security

Unsafe Deserialization in Swift: NSCoding, Codable, and Safer Patterns

Two 2019 iOS zero-click bugs, CVE-2019-8646 and CVE-2019-8647, both traced back to NSKeyedUnarchiver — a reminder that Swift's Objective-C legacy still hides deserialization risk.

Jul 8, 20265 min read
deserialization — Safeguard Blog