Safeguard
Tag

insecure-deserialization

Safeguard articles tagged "insecure-deserialization" — guides, analysis, and best practices for software supply chain and application security.

12 articles

Application Security

Preventing insecure deserialization in Node.js

A 2017 node-serialize flaw let attackers turn a signed cookie into remote code execution — here's how deserialization bugs still slip into Node apps.

Jul 13, 20265 min read
Security Guides

Insecure Deserialization in .NET: BinaryFormatter and Beyond

Why insecure deserialization is a remote-code-execution risk in .NET, what changed with BinaryFormatter's removal in .NET 9, and the dangerous JSON.NET settings still in the wild.

Jul 8, 20265 min read
Vulnerability Guides

What is Insecure Deserialization? A Developer's Guide

Insecure deserialization turns a trusted data-loading routine into a remote code execution primitive. Learn how gadget chains work and how to deserialize untrusted data safely.

Jul 2, 20265 min read
Vulnerability Analysis

What is Insecure Deserialization

Insecure deserialization (CWE-502) lets attackers turn untrusted object data into remote code execution. Here's how the attack works and how to stop it.

Mar 29, 20267 min read
Industry Analysis

Insecure deserialization attack

A precise breakdown of what is an insecure deserialization attack, how object injection and gadget chains work in Java and Python, and how to defend against them.

Feb 25, 20267 min read
Vulnerability Analysis

Insecure deserialization vulnerabilities explained

Insecure deserialization vulnerabilities let attackers turn trusted classes into gadget chains for RCE. See real CVEs, affected languages, and fixes.

Dec 13, 20256 min read
Vulnerability Analysis

Python Pickle deserialization risk explained

Pickle deserialization lets attacker-controlled data execute arbitrary code on load. Here's how the exploit works, real CVEs, and how to fix it.

Dec 2, 20257 min read
Open Source Security

.NET deserialization vulnerability landscape

A look at the .NET deserialization vulnerability landscape — from the 2025 ASP.NET machine key crisis to BinaryFormatter's retirement and Telerik exploits.

Nov 15, 20257 min read
Industry Analysis

Insecure Deserialization Prevention in Java with Deserial...

Java deserialization RCEs still hit production years after JEP 290 shipped filters. Here's how JEP 290/415 filters work, common rollout mistakes, and how Safeguard closes the gaps.

Oct 21, 20257 min read
Industry Analysis

Insecure Deserialization Prevention in JavaScript: Avoidi...

How the node-serialize RCE flaw (CVE-2017-5941) works, why unsafe JS deserialization patterns persist, and concrete steps—plus how Safeguard catches them in CI.

Oct 20, 20256 min read
Industry Analysis

Insecure Deserialization Prevention in Python: yaml.safe_...

Why yaml.load() and pickle.load() became RCE vectors in Python, the CVEs behind them, and how safe_load() closes the gap — plus how Safeguard catches unsafe deserialization before it ships.

Oct 20, 20257 min read
AppSec

Serialization vs. Deserialization in Java: Security Implications

The difference between serialization and deserialization in Java is simple to state and dangerous to get wrong — deserialization of untrusted data has caused some of the highest-severity Java CVEs of the last decade.

Jun 10, 20256 min read
insecure-deserialization — Safeguard Blog