Safeguard
Tag

deserialization-vulnerability

Safeguard articles tagged "deserialization-vulnerability" — guides, analysis, and best practices for software supply chain and application security.

9 articles

Vulnerability Analysis

Alibaba fastjson deserialization RCE (CVE-2022-25845)

A critical AutoType-bypass RCE in Alibaba fastjson (CVSS 9.8, EPSS ~99th pct) hits any app parsing untrusted JSON. Here's how to detect and fix it.

Jan 11, 20267 min read
Vulnerability Analysis

PyYAML Loader arbitrary code execution (CVE-2017-18342)

PyYAML's default yaml.load() Loader lets attackers run arbitrary code via crafted YAML input. Here's how CVE-2017-18342 works and how to fix it.

Dec 30, 20257 min read
Vulnerability Analysis

Log4j SocketServer unsafe deserialization (CVE-2019-17571)

A deep dive into CVE-2019-17571, the Log4j 1.x SocketServer deserialization flaw enabling remote code execution, with remediation guidance.

Dec 25, 20257 min read
Vulnerability Analysis

Jackson-databind polymorphic deserialization RCE (CVE-2017-15095)

A critical jackson-databind deserialization vulnerability (CVE-2017-15095) lets unauthenticated attackers achieve RCE via HikariCP gadget classes.

Dec 25, 20257 min read
Vulnerability Analysis

Jackson-databind RCE via JDOM gadget (CVE-2020-36189)

CVE-2020-36189 lets attackers chain jackson-databind polymorphic deserialization with a JDOM gadget for RCE, SSRF, or XXE. Here's the mechanics and the fix.

Dec 25, 20257 min read
Vulnerability Analysis

Python Pickle deserialization risk explained

Pickle deserialization lets attacker-controlled data execute arbitrary code on load. Here's how the exploit works, real CVEs, and how to fix it.

Dec 2, 20257 min read
Vulnerability Analysis

CVE-2020-1747: PyYAML full_load still allows code execution

CVE-2020-1747 shows PyYAML's FullLoader and full_load() could still trigger arbitrary code execution on untrusted YAML before 5.3.1. Here's the full breakdown.

Oct 6, 20258 min read
Vulnerability Analysis

CVE-2019-12384: Polymorphic deserialization gadget in Jac...

CVE-2019-12384 is a Jackson-databind polymorphic deserialization gadget flaw via Ehcache's transaction manager class, patched in 2.9.9.1.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2019-16335: Jackson-databind gadget via jackson-dataf...

CVE-2019-16335 is a jackson-databind polymorphic deserialization flaw tied to jackson-dataformat-cbor, fixed in 2.9.10. Here's the impact, timeline, and fix.

Sep 29, 20257 min read
deserialization-vulnerability — Safeguard Blog