insecure-deserialization
Safeguard articles tagged "insecure-deserialization" — guides, analysis, and best practices for software supply chain and application security.
12 articles
Preventing insecure deserialization in Node.js
A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.
Insecure Deserialization in .NET: BinaryFormatter and Beyond
Why insecure deserialization is a remote-code-execution risk in .NET, what changed with BinaryFormatter's removal in .NET 9, and the dangerous JSON.NET settings still in the wild.
What is Insecure Deserialization? A Developer's Guide
Insecure deserialization turns a trusted data-loading routine into a remote code execution primitive. Learn how gadget chains work and how to deserialize untrusted data safely.
What is Insecure Deserialization
Insecure deserialization (CWE-502) lets attackers turn untrusted object data into remote code execution. Here's how the attack works and how to stop it.
Insecure deserialization attack
A precise breakdown of what is an insecure deserialization attack, how object injection and gadget chains work in Java and Python, and how to defend against them.
Insecure deserialization vulnerabilities explained
Insecure deserialization vulnerabilities let attackers turn trusted classes into gadget chains for RCE. See real CVEs, affected languages, and fixes.
Python Pickle deserialization risk explained
Pickle deserialization lets attacker-controlled data execute arbitrary code on load. Here's how the exploit works, real CVEs, and how to fix it.
.NET deserialization vulnerability landscape
A look at the .NET deserialization vulnerability landscape — from the 2025 ASP.NET machine key crisis to BinaryFormatter's retirement and Telerik exploits.
Insecure Deserialization Prevention in Java with Deserial...
Java deserialization RCEs still hit production years after JEP 290 shipped filters. Here's how JEP 290/415 filters work, common rollout mistakes, and how Safeguard closes the gaps.
Insecure Deserialization Prevention in JavaScript: Avoidi...
How the node-serialize RCE flaw (CVE-2017-5941) works, why unsafe JS deserialization patterns persist, and concrete steps—plus how Safeguard catches them in CI.
Insecure Deserialization Prevention in Python: yaml.safe_...
Why yaml.load() and pickle.load() became RCE vectors in Python, the CVEs behind them, and how safe_load() closes the gap — plus how Safeguard catches unsafe deserialization before it ships.
Serialization vs. Deserialization in Java: Security Implications
The difference between serialization and deserialization in Java is simple to state and dangerous to get wrong — deserialization of untrusted data has caused some of the highest-severity Java CVEs of the last decade.