Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4802 vulnerabilities reference this CWE, most recent first.

GHSA-QW3W-X3XF-GG83

Vulnerability from github – Published: 2025-08-28 15:30 – Updated: 2026-04-28 21:35
VLAI
Details

Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress allows Object Injection. This issue affects Employee Directory – Staff Listing & Team Directory Plugin for WordPress: from n/a through 4.5.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-28T13:16:02Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory \u2013 Staff Listing \u0026amp; Team Directory Plugin for WordPress allows Object Injection. This issue affects Employee Directory \u2013 Staff Listing \u0026amp; Team Directory Plugin for WordPress: from n/a through 4.5.3.",
  "id": "GHSA-qw3w-x3xf-gg83",
  "modified": "2026-04-28T21:35:49Z",
  "published": "2025-08-28T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53243"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/employee-directory/vulnerability/wordpress-employee-directory-staff-listing-team-directory-plugin-for-wordpress-plugin-4-5-2-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QW48-84F6-28GV

Vulnerability from github – Published: 2026-05-18 13:27 – Updated: 2026-05-18 13:27
VLAI
Summary
Graphite Has a Pickle Deserialization Vulnerability
Details

Impact

Type of vulnerability: Insecure Deserialization via Python's pickle module.

Who is impacted:
Users of Graphite graph database engine versions before 0.2 who load database files from untrusted or third-party sources.
An attacker could craft a malicious database file that executes arbitrary code when loaded by the engine. This is possible because the engine used pickle for serialization, which is known to be unsafe for untrusted data.

Patches

The vulnerability has been patched starting from version 0.2.
All users should upgrade to version 0.2 or later (the current version is 0.4 at publishing time).
In version 0.2 and above, the engine uses JSON instead of pickle for database storage, eliminating the deserialization risk.

Workarounds

If users cannot upgrade immediately:

  1. Do not load database files from untrusted or unknown sources when using versions <0.2.
  2. Migrate existing pickle-based databases to the new JSON format using the provided migration module:
from graphite.Migration import convert_pickle_to_json
convert_pickle_to_json("path/to/old_database.pkl", "path/to/new_database.json")

After migration, you can safely use the database with version 0.2+.

Note: Versions 0.2 and later will show a warning when attempting to load legacy pickle files, reminding you to migrate them. Also, you can't load pickle files in 0.2 and later.

Resources

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "graphitedb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T13:27:55Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n**Type of vulnerability:** Insecure Deserialization via Python\u0027s `pickle` module.\n\n**Who is impacted:**  \nUsers of *Graphite graph database engine* versions **before 0.2** who load database files from untrusted or third-party sources.  \nAn attacker could craft a malicious database file that executes arbitrary code when loaded by the engine. This is possible because the engine used `pickle` for serialization, which is known to be unsafe for untrusted data.\n\n### Patches\nThe vulnerability has been patched starting from **version 0.2**.  \nAll users should upgrade to **version 0.2 or later** (the current version is 0.4 at publishing time).  \nIn version 0.2 and above, the engine uses **JSON** instead of `pickle` for database storage, eliminating the deserialization risk.\n\n### Workarounds\nIf users cannot upgrade immediately:\n\n1. **Do not load database files from untrusted or unknown sources** when using versions \u003c0.2.\n2. **Migrate existing pickle-based databases** to the new JSON format using the provided migration module:\n\n```python\nfrom graphite.Migration import convert_pickle_to_json\nconvert_pickle_to_json(\"path/to/old_database.pkl\", \"path/to/new_database.json\")\n```\n\nAfter migration, you can safely use the database with version 0.2+.\n\n**Note:** Versions 0.2 and later will show a **warning** when attempting to load legacy pickle files, reminding you to migrate them. Also, **you can\u0027t load pickle files** in 0.2 and later.\n\n### Resources\n- Upgrade to [v0.2 or newer](https://github.com/mkh-user/graphite/releases)\n- Migration guide: See `graphite.Migration` module documentation\n- More on pickle security: [Python docs \u2013 pickle security](https://docs.python.org/3/library/pickle.html#module-pickle)",
  "id": "GHSA-qw48-84f6-28gv",
  "modified": "2026-05-18T13:27:56Z",
  "published": "2026-05-18T13:27:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mkh-user/graphite/security/advisories/GHSA-qw48-84f6-28gv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mkh-user/graphite"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mkh-user/graphite/releases/tag/v0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Graphite Has a Pickle Deserialization Vulnerability"
}

GHSA-QW4P-9PRR-VCV7

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:49Z",
    "severity": "CRITICAL"
  },
  "details": "Unauthenticated PHP Object Injection in JetEngine \u003c= 3.8.10 versions.",
  "id": "GHSA-qw4p-9prr-vcv7",
  "modified": "2026-06-17T18:35:52Z",
  "published": "2026-06-17T18:35:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52706"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-10-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QW5F-8JQW-9832

Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-13 18:30
VLAI
Details

The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T16:16:13Z",
    "severity": "CRITICAL"
  },
  "details": "The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.",
  "id": "GHSA-qw5f-8jqw-9832",
  "modified": "2026-05-13T18:30:40Z",
  "published": "2026-05-12T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31214"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stas00/ml-engineering/blob/master/training/checkpoints/torch-checkpoint-shrink.py#L57"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/CVE-2026-31214-35d1e1393188813fa40eef73c174cee5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWGV-R6C4-XRJP

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31
VLAI
Details

Microsoft SharePoint Server Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T17:17:16Z",
    "severity": "HIGH"
  },
  "details": "Microsoft SharePoint Server Remote Code Execution Vulnerability",
  "id": "GHSA-qwgv-r6c4-xrjp",
  "modified": "2024-05-14T18:31:04Z",
  "published": "2024-05-14T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30044"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30044"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWP7-W63J-VXCR

Vulnerability from github – Published: 2025-05-19 21:30 – Updated: 2026-04-01 18:35
VLAI
Details

Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through 2.6.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-19T19:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration \u0026 Tickets allows Object Injection.This issue affects WordPress Events Calendar Registration \u0026 Tickets: from n/a through 2.6.0.",
  "id": "GHSA-qwp7-w63j-vxcr",
  "modified": "2026-04-01T18:35:12Z",
  "published": "2025-05-19T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47581"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/wpeventplus/vulnerability/wordpress-wordpress-events-calendar-registration-tickets-plugin-2-6-0-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX96-XFH6-P75H

Vulnerability from github – Published: 2024-04-04 03:31 – Updated: 2026-04-08 21:32
VLAI
Details

The Modal Popup Box – Popup Builder, Show Offers And News in Popup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.2 via deserialization of untrusted input in the awl_modal_popup_box_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T03:15:06Z",
    "severity": "HIGH"
  },
  "details": "The Modal Popup Box \u2013 Popup Builder, Show Offers And News in Popup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.2 via deserialization of untrusted input in the awl_modal_popup_box_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.",
  "id": "GHSA-qx96-xfh6-p75h",
  "modified": "2026-04-08T21:32:25Z",
  "published": "2024-04-04T03:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2008"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/modal-popup-box/trunk/include/modal-popup-box-shortcode.php#L19"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3062572%40modal-popup-box\u0026new=3062572%40modal-popup-box\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fca3d106-49df-49fc-a90d-e0cb26bd34b6?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QXF4-66FG-4H23

Vulnerability from github – Published: 2025-11-13 09:31 – Updated: 2025-11-13 09:31
VLAI
Details

The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the 'rest_simpleTranscribeAudio' and 'rest_simpleVisionQuery' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-13T08:15:49Z",
    "severity": "HIGH"
  },
  "details": "The AI Engine plugin for WordPress is vulnerable to PHP Object Injection via PHAR Deserialization in all versions up to, and including, 3.1.8 via deserialization of untrusted input in the \u0027rest_simpleTranscribeAudio\u0027 and \u0027rest_simpleVisionQuery\u0027 functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.",
  "id": "GHSA-qxf4-66fg-4h23",
  "modified": "2025-11-13T09:31:16Z",
  "published": "2025-11-13T09:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12844"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jordymeow/ai-engine/blob/main/classes/api.php#L799"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jordymeow/ai-engine/blob/main/classes/engines/chatml.php#L960-L967"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jordymeow/ai-engine/blob/main/classes/modules/files.php#L237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jordymeow/ai-engine/blob/main/classes/services/image.php#L43"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3392052"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c39c1b72-e3e0-44fb-8fb8-602cb0aa61e3?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QXRP-VHVM-J765

Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2025-02-13 22:15
VLAI
Summary
Deserialization of Untrusted Data in Hugging Face Transformers
Details

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.48.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-11392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-11T15:04:55Z",
    "nvd_published_at": "2024-11-22T22:15:06Z",
    "severity": "HIGH"
  },
  "details": "Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.",
  "id": "GHSA-qxrp-vhvm-j765",
  "modified": "2025-02-13T22:15:58Z",
  "published": "2024-11-23T03:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11392"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/issues/34840"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/pull/35296"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/transformers"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2024-227.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1513"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deserialization of Untrusted Data in Hugging Face Transformers"
}

GHSA-QXWX-C654-V423

Vulnerability from github – Published: 2021-12-07 00:00 – Updated: 2022-03-17 00:06
VLAI
Details

An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14075).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-06T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor\u0027s security alert for this vulnerability (VTS21-003, ZDI-CAN-14075).",
  "id": "GHSA-qxwx-c654-v423",
  "modified": "2022-03-17T00:06:37Z",
  "published": "2021-12-07T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44680"
    },
    {
      "type": "WEB",
      "url": "https://www.veritas.com/content/support/en_US/security/VTS21-003"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1590"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.