deserialization
Safeguard articles tagged "deserialization" — guides, analysis, and best practices for software supply chain and application security.
48 articles
NumPy Security Guide (2026)
NumPy is the numerical foundation of the Python data ecosystem — and while many of its CVEs are disputed, the pickle-based numpy.load deserialization risk is real and worth understanding.
ActiveMQ CVE-2023-46604 Explained: The OpenWire Deserialization RCE
CVE-2023-46604 is an unauthenticated remote code execution flaw in Apache ActiveMQ's OpenWire protocol, rated CVSS 10.0. Here is how it works, how ransomware crews weaponized it, and how to remediate.
PyTorch Security Guide (2026)
PyTorch is the dominant deep-learning framework for research and production — and its torch.load remote-code-execution history makes loading a model checkpoint one of the most security-sensitive operations in modern ML.
Ruby Security Best Practices: Deserialization, Injection, and the Gem Supply Chain
Rails is safe by default — until a developer reaches for YAML.load, Kernel#open, or a raw-string query. Here are the Ruby footguns and the gem hygiene that keep them closed.
Apache Tomcat CVE-2025-24813: a deserialization deep dive
Tomcat's partial-PUT deserialization RCE turned a session persistence feature into a remote code execution path, and the pattern is one Java middleware keeps repeating.
YAML Deserialization Attacks: The Config File That Runs Code
YAML's type system allows object instantiation during parsing. In many languages, this means a YAML file can execute arbitrary code.
Ruby deserialization vulnerabilities: Marshal.load, YAML....
A decade of Ruby CVEs — from CVE-2013-0156 to CVE-2022-32224 — shows how Marshal.load and YAML.load turn untrusted input into remote code execution.
SonicWall SMA 1000 CVE-2025-23006 Pre-Auth RCE
CVE-2025-23006 is a pre-auth deserialization RCE in SonicWall SMA 1000. Exploit chain, detection signals, and appliance hardening.
Erlang/OTP atom exhaustion and deserialization risks in E...
How the elixir atom exhaustion vulnerability lets attackers crash BEAM nodes via unsafe binary_to_term calls, and how Safeguard catches the pattern before it ships.
Veeam Backup CVE-2024-40711 Unauth RCE Walkthrough
CVE-2024-40711 is a critical unauth RCE in Veeam Backup & Replication. Deserialization flaw, exploit chain, and ransomware operator abuse.
Jenkins CLI Deserialization RCE via Commons-Collections G...
CVE-2015-8103: unauthenticated RCE in Jenkins CLI via a Commons-Collections deserialization gadget chain. Impact, timeline, and remediation.
LangGraph CVE-2025-64439: When Agent Checkpoints Become RCE
A JsonPlusSerializer fallback in langgraph-checkpoint let attacker-controlled payloads execute arbitrary Python on deserialization. We unpack the bug, the patch, and what agent operators must change.