Safeguard
Tag

deserialization

Safeguard articles tagged "deserialization" — guides, analysis, and best practices for software supply chain and application security.

48 articles

Open Source Security

PHP object injection vulnerability landscape

Industry analysis of PHP object injection vulnerability trends, gadget chains, and real-world CVEs, plus how to find exploitable deserialization paths.

Nov 13, 20258 min read
Industry Analysis

Object Injection Vulnerabilities in PHP and Node.js

PHP's unserialize() and Node's insecure deserialization both let attackers forge objects and execute code. Here's how object injection works and how to stop it.

Nov 9, 20257 min read
Vulnerability Analysis

CVE-2017-18342: Arbitrary code execution via PyYAML yaml....

CVE-2017-18342 lets attackers achieve remote code execution via PyYAML's yaml.load(), which deserialized untrusted YAML into live Python objects by default.

Oct 6, 20258 min read
Vulnerability Analysis

CVE-2020-14343: PyYAML arbitrary code execution via pytho...

CVE-2020-14343 lets attackers run arbitrary code via PyYAML's python/object/new tag, bypassing an earlier FullLoader fix. Versions, CVSS, and remediation inside.

Oct 6, 20257 min read
Vulnerability Analysis

CVE-2015-6420: Deserialization vulnerability via Apache C...

How a vulnerable Apache Commons Collections library let attackers achieve remote code execution via Java deserialization gadget chains, and what CVE-2015-6420 still teaches about supply chain risk.

Sep 30, 20258 min read
Vulnerability Analysis

CVE-2019-14540: Jackson-databind blacklist bypass via c3p...

CVE-2019-14540 lets attackers bypass jackson-databind's deserialization blacklist via c3p0 classes to achieve RCE. Here's what's affected, the timeline, and how to remediate.

Sep 29, 20257 min read
Vulnerability Analysis

CVE-2021-25329: Incomplete fix of Tomcat PersistenceManag...

CVE-2021-25329 shows how Tomcat's PersistenceManager deserialization fix (CVE-2020-9484) was incomplete, still risking RCE in edge-case configs.

Sep 23, 20258 min read
Vulnerability Analysis

CVE-2022-1471: Remote code execution in SnakeYAML deseria...

CVE-2022-1471 exposes SnakeYAML deserialization to remote code execution. Here is what is affected, CVSS context, and how to remediate the flaw.

Sep 23, 20257 min read
Vulnerabilities

Java Vulnerability Classes: A Reference List

A java vulnerability list organized by class — deserialization, injection, XXE, and the rest — because Java's ecosystem produces a specific, recurring set of vulnerability patterns worth knowing by name.

Feb 11, 20255 min read
Application Security

YAML Deserialization Attacks and How to Prevent Them

YAML looks innocent but its deserialization features have led to remote code execution in countless applications. Here is why and how to stay safe.

Jan 28, 20244 min read
Application Security

Deserialization Attacks in Java and Python

Insecure deserialization turns data parsing into code execution. This guide covers deserialization attacks in Java and Python, the gadget chain concept, and practical defenses for both ecosystems.

Dec 5, 20236 min read
Code Security

Insecure Deserialization: Why Untrusted Data Should Never Become Objects

Deserialization vulnerabilities turn data into code execution. Here is how they work, which languages are most affected, and how to defend against them.

Oct 12, 20236 min read
deserialization (Page 4) — Safeguard Blog