Continue your mission
A critical vulnerability where applications reconstruct objects from untrusted serialized data, enabling remote code execution through crafted payloads that exploit object reconstruction logic.
Insecure deserialization is a vulnerability that occurs when applications reconstruct objects from serialized data without adequate validation, allowing attackers to manipulate serialized payloads to achieve remote code execution, privilege escalation, injection attacks, and denial of service. Serialization converts complex objects into transportable formats; deserialization reverses this process -- and when it processes untrusted data, it becomes a critical attack vector.
Applications serialize objects to store state in sessions, transmit data between services, cache computed results, or pass messages through queues. Common serialization formats include Java ObjectInputStream, Python pickle, PHP serialize, Ruby Marshal, and .NET BinaryFormatter. When applications deserialize untrusted input, attackers craft payloads containing object chains (gadget chains) that trigger dangerous operations during reconstruction. In Java, gadget chains abuse classes available on the classpath to achieve arbitrary command execution through seemingly innocent object construction. The attack does not require the application to use the deserialized object directly -- the mere act of deserializing triggers the exploit. Prevention strategies include avoiding native serialization of untrusted data entirely, using data-only formats (JSON, Protocol Buffers) instead of object serialization, implementing strict type validation before deserialization, using allowlists to restrict deserializable classes, and monitoring deserialization endpoints for anomalous payloads.
Insecure deserialization frequently leads to remote code execution -- the most severe impact category. Multiple critical vulnerabilities in widely deployed platforms have exploited deserialization flaws for large-scale compromise. The attacks are often unauthenticated and require minimal interaction, making them ideal for automated exploitation.
CDA treats insecure deserialization as a critical VSD finding. Theater missions identify serialization endpoints across application architectures, assess gadget chain availability, and implement safe alternatives to native object serialization. Our approach prioritizes eliminating deserialization of untrusted data rather than attempting to filter malicious payloads.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.