Safeguard
Tag

deserialization

Safeguard articles tagged "deserialization" — guides, analysis, and best practices for software supply chain and application security.

48 articles

Vulnerability Management

How task-scheduler RCEs become cryptomining botnets

Two chained Apache Airflow CVEs and a Rundeck YAML deserialization bug show how scheduler tools turn one flaw into unauthenticated RCE and persistent mining.

Jul 8, 20266 min read
Application Security

The Python pickle security model, explained

Python's own docs warn that unpickling can execute arbitrary code — yet pickle is still the default weight format behind millions of ML model downloads.

Jul 7, 20266 min read
Security Guides

Elixir and Phoenix Security Best Practices: BEAM Footguns and the Hex Supply Chain

Phoenix is safe by default, but the BEAM has its own footguns — binary_to_term, atom exhaustion, dynamic eval — and the Erlang/OTP runtime beneath it shipped a CVSS 10.0 pre-auth SSH RCE in 2025.

Jul 6, 20266 min read
Security Guides

OWASP A08: Software and Data Integrity Failures — A Deep-Dive Guide

Software and Data Integrity Failures rank #8 in the OWASP Top 10 (2021). A deep dive into insecure deserialization, unsigned updates, SolarWinds, and real CVEs.

Jul 6, 20267 min read
Security Guides

Pickle and Deserialization Security in Python

Unpickling untrusted data is arbitrary code execution, by design. Here is why pickle is dangerous, where it hides, and what to use instead.

Jul 5, 20265 min read
Security Guides

Scala Security Best Practices: JVM Supply Chain, Deserialization, and Framework CVEs

Scala's expressive type system does nothing about the JVM attack surface underneath it. Log4Shell, Jackson gadget chains, and Spark's command-injection CVE all reach Scala code directly.

Jul 5, 20266 min read
Vulnerability Analysis

Fastjson AutoType Bypass RCE (CVE-2022-25845) Explained

CVE-2022-25845 defeated Fastjson's autoType protection and reopened a deserialization RCE path. Here's how the bypass worked and how to lock the library down.

Jul 4, 20265 min read
Security Guides

Jackson-databind Security Guide (2026)

Jackson-databind is the default JSON engine for the Java ecosystem — and the source of one of the longest deserialization CVE sagas in open source. Here is how to run it safely.

Jul 4, 20266 min read
Vulnerability Analysis

Jackson-databind Polymorphic Deserialization Gadget (CVE-2019-12384) Explained

CVE-2019-12384 chained a logback gadget with H2's RUNSCRIPT to turn default typing into code execution. Here's the mechanism, the classpath caveat, and how to fix it for good.

Jul 3, 20265 min read
Security Guides

pandas Security Guide (2026)

pandas is the backbone of Python data analysis — and while its own CVE record is thin, the read_pickle deserialization risk is real, the query/eval expression engine invites injection, and most 'pandas findings' actually live in its dependency tree.

Jul 3, 20266 min read
Vulnerability Guides

YAML Injection: How It Happens and How to Prevent It

YAML looks like a harmless config format, but the wrong parser call turns a config file into a code-execution engine. Here's how YAML deserialization attacks work and how to parse safely.

Jul 2, 20265 min read
Security Guides

Java Deserialization Vulnerabilities: How Gadget Chains Work and How to Stop Them

Native Java deserialization can turn a single readObject() call into remote code execution. Here's how gadget chains work and how to shut them down.

Jul 2, 20266 min read
deserialization (Page 2) — Safeguard Blog