deserialization
Safeguard articles tagged "deserialization" — guides, analysis, and best practices for software supply chain and application security.
48 articles
PHP object injection vulnerability landscape
Industry analysis of PHP object injection vulnerability trends, gadget chains, and real-world CVEs, plus how to find exploitable deserialization paths.
Object Injection Vulnerabilities in PHP and Node.js
PHP's unserialize() and Node's insecure deserialization both let attackers forge objects and execute code. Here's how object injection works and how to stop it.
CVE-2017-18342: Arbitrary code execution via PyYAML yaml....
CVE-2017-18342 lets attackers achieve remote code execution via PyYAML's yaml.load(), which deserialized untrusted YAML into live Python objects by default.
CVE-2020-14343: PyYAML arbitrary code execution via pytho...
CVE-2020-14343 lets attackers run arbitrary code via PyYAML's python/object/new tag, bypassing an earlier FullLoader fix. Versions, CVSS, and remediation inside.
CVE-2015-6420: Deserialization vulnerability via Apache C...
How a vulnerable Apache Commons Collections library let attackers achieve remote code execution via Java deserialization gadget chains, and what CVE-2015-6420 still teaches about supply chain risk.
CVE-2019-14540: Jackson-databind blacklist bypass via c3p...
CVE-2019-14540 lets attackers bypass jackson-databind's deserialization blacklist via c3p0 classes to achieve RCE. Here's what's affected, the timeline, and how to remediate.
CVE-2021-25329: Incomplete fix of Tomcat PersistenceManag...
CVE-2021-25329 shows how Tomcat's PersistenceManager deserialization fix (CVE-2020-9484) was incomplete, still risking RCE in edge-case configs.
CVE-2022-1471: Remote code execution in SnakeYAML deseria...
CVE-2022-1471 exposes SnakeYAML deserialization to remote code execution. Here is what is affected, CVSS context, and how to remediate the flaw.
Java Vulnerability Classes: A Reference List
A java vulnerability list organized by class — deserialization, injection, XXE, and the rest — because Java's ecosystem produces a specific, recurring set of vulnerability patterns worth knowing by name.
YAML Deserialization Attacks and How to Prevent Them
YAML looks innocent but its deserialization features have led to remote code execution in countless applications. Here is why and how to stay safe.
Deserialization Attacks in Java and Python
Insecure deserialization turns data parsing into code execution. This guide covers deserialization attacks in Java and Python, the gadget chain concept, and practical defenses for both ecosystems.
Insecure Deserialization: Why Untrusted Data Should Never Become Objects
Deserialization vulnerabilities turn data into code execution. Here is how they work, which languages are most affected, and how to defend against them.