Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4797 vulnerabilities reference this CWE, most recent first.

GHSA-XW7X-H9FJ-P2C7

Vulnerability from github – Published: 2026-03-25 21:27 – Updated: 2026-03-27 21:37
VLAI
Summary
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
Details

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: 1. OpenTelemetry Java instrumentation is attached as a Java agent (-javaagent) 2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service) 3. A gadget-chain-compatible library is present on the classpath

Impact

Arbitrary remote code execution with the privileges of the user running the instrumented JVM.

Recommendation

Upgrade to version 2.26.1 or later.

Workarounds

Set the following system property to disable the RMI integration:

-Dotel.instrumentation.rmi.enabled=false

Credits

This vulnerability was responsibly disclosed in coordination with Datadog.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.opentelemetry.javaagent:opentelemetry-javaagent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.26.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T21:27:43Z",
    "nvd_published_at": "2026-03-27T01:16:19Z",
    "severity": "CRITICAL"
  },
  "details": "In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution.\u00a0All three of the following conditions must be true to exploit this vulnerability:\n1. OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`)\n2. An RMI endpoint is network-reachable (e.g. JMX remote port, an RMI registry, or any application-exported RMI service)\n3. A gadget-chain-compatible library is present on the classpath\n\n### Impact\nArbitrary remote code execution with the privileges of the user running the instrumented JVM.\n\n### Recommendation\nUpgrade to version 2.26.1 or later.\n\n### Workarounds\nSet the following system property to disable the RMI integration:\n\n```\n-Dotel.instrumentation.rmi.enabled=false\n```\n\n### Credits\nThis vulnerability was responsibly disclosed in coordination with Datadog.",
  "id": "GHSA-xw7x-h9fj-p2c7",
  "modified": "2026-03-27T21:37:04Z",
  "published": "2026-03-25T21:27:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-xw7x-h9fj-p2c7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33701"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/9cf4fbaaa9e79226142b2ed42a6f6b4ac0be2197"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/tag/v2.26.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution"
}

GHSA-XW96-38MM-H5JG

Vulnerability from github – Published: 2025-02-25 15:34 – Updated: 2026-04-01 18:33
VLAI
Details

Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection. This issue affects Flexmls® IDX: from n/a through 3.14.27.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-25T15:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in flexmls Flexmls\u00ae IDX allows Object Injection. This issue affects Flexmls\u00ae IDX: from n/a through 3.14.27.",
  "id": "GHSA-xw96-38mm-h5jg",
  "modified": "2026-04-01T18:33:49Z",
  "published": "2025-02-25T15:34:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26900"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-plugin-3-14-27-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWM2-Q66G-H4XF

Vulnerability from github – Published: 2025-12-15 21:30 – Updated: 2025-12-15 21:30
VLAI
Details

MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-15T19:16:05Z",
    "severity": "CRITICAL"
  },
  "details": "MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process.",
  "id": "GHSA-xwm2-q66g-h4xf",
  "modified": "2025-12-15T21:30:31Z",
  "published": "2025-12-15T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65213"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MooreThreads/torch_musa/issues/110#issuecomment-3475809588"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWPV-MVXP-GX82

Vulnerability from github – Published: 2023-12-29 15:30 – Updated: 2026-04-28 21:33
VLAI
Details

Deserialization of Untrusted Data vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition: from n/a through 3.05.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51422"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-29T13:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream \u0026 Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create live/evergreen/automated/instant webinars, stream \u0026 Zoom Meetings | WebinarIgnition: from n/a through 3.05.0.",
  "id": "GHSA-xwpv-mvxp-gx82",
  "modified": "2026-04-28T21:33:39Z",
  "published": "2023-12-29T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51422"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/webinar-ignition/wordpress-webinarignition-plugin-3-05-0-authenticated-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWRQ-J8PG-PQXM

Vulnerability from github – Published: 2023-02-15 21:30 – Updated: 2023-02-24 21:30
VLAI
Details

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.",
  "id": "GHSA-xwrq-j8pg-pqxm",
  "modified": "2023-02-24T21:30:20Z",
  "published": "2023-02-15T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38111"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38111"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWW2-FJCQ-4HHV

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32
VLAI
Details

The Advanced Ads plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.52.1 via deserialization of untrusted input in the 'placement_slug' parameter. This makes it possible for authenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:18:45Z",
    "severity": "HIGH"
  },
  "details": "The Advanced Ads plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.52.1 via deserialization of untrusted input in the \u0027placement_slug\u0027 parameter. This makes it possible for authenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.",
  "id": "GHSA-xww2-fjcq-4hhv",
  "modified": "2024-05-14T15:32:54Z",
  "published": "2024-05-14T15:32:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2290"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/advanced-ads/trunk/modules/import-export/classes/import.php#L155"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3081914%40advanced-ads\u0026new=3081914%40advanced-ads\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f64336f7-ab2a-4e22-a76f-d077c51f9c57?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWW8-MXQW-M84W

Vulnerability from github – Published: 2026-07-06 09:30 – Updated: 2026-07-06 21:30
VLAI
Details

Deserialization of Untrusted Data vulnerability in Apache Camel Hazelcast component.

The camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user-supplied HazelcastInstance, hazelcastConfigUri, or referenced Config bean is provided - neither Hazelcast's JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured, so objects received over the Hazelcast cluster protocol are deserialized inside Hazelcast's own serialization layer (ObjectInputStream.readObject) before Camel ever processes them. An attacker who can join or otherwise reach the Hazelcast cluster can publish a crafted serialized Java object that is then deserialized on every Camel node, resulting in remote code execution. The exposure is present by default and requires no opt-in endpoint configuration: any route using a hazelcast consumer (hazelcast-topic, hazelcast-queue, hazelcast-seda, hazelcast-map, hazelcast-multimap, hazelcast-replicatedmap, hazelcast-list, hazelcast-set), as well as the HazelcastAggregationRepository and HazelcastIdempotentRepository, is affected whenever the managed instance is created from Camel's default configuration. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes Camel apply a default Hazelcast JavaSerializationFilterConfig (whitelisting the java., javax. and org.apache.camel. class-name prefixes and blacklisting java.net.) to instances it creates from its own default configuration, while leaving any user-supplied Config or HazelcastInstance untouched. For deployments that cannot upgrade immediately, configure a deserialization filter on the Hazelcast instance (Hazelcast JavaSerializationFilterConfig, or the JVM-wide system property -Djdk.serialFilter=!java.net.;java.;javax.;org.apache.camel.;!*) and enable Hazelcast cluster authentication and TLS to restrict who can reach the cluster.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-06T09:16:35Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Apache Camel Hazelcast component.\n\nThe camel-hazelcast component creates and manages Hazelcast instances using a default configuration that applies no Java deserialization filter. When Camel builds the Hazelcast Config itself - that is, when no user-supplied HazelcastInstance, hazelcastConfigUri, or referenced Config bean is provided - neither Hazelcast\u0027s JavaSerializationFilterConfig nor a Camel-side ObjectInputFilter is configured, so objects received over the Hazelcast cluster protocol are deserialized inside Hazelcast\u0027s own serialization layer (ObjectInputStream.readObject) before Camel ever processes them. An attacker who can join or otherwise reach the Hazelcast cluster can publish a crafted serialized Java object that is then deserialized on every Camel node, resulting in remote code execution. The exposure is present by default and requires no opt-in endpoint configuration: any route using a hazelcast consumer (hazelcast-topic, hazelcast-queue, hazelcast-seda, hazelcast-map, hazelcast-multimap, hazelcast-replicatedmap, hazelcast-list, hazelcast-set), as well as the HazelcastAggregationRepository and HazelcastIdempotentRepository, is affected whenever the managed instance is created from Camel\u0027s default configuration.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes Camel apply a default Hazelcast JavaSerializationFilterConfig (whitelisting the java., javax. and org.apache.camel. class-name prefixes and blacklisting java.net.) to instances it creates from its own default configuration, while leaving any user-supplied Config or HazelcastInstance untouched. For deployments that cannot upgrade immediately, configure a deserialization filter on the Hazelcast instance (Hazelcast JavaSerializationFilterConfig, or the JVM-wide system property -Djdk.serialFilter=!java.net.**;java.**;javax.**;org.apache.camel.**;!*) and enable Hazelcast cluster authentication and TLS to restrict who can reach the cluster.",
  "id": "GHSA-xww8-mxqw-m84w",
  "modified": "2026-07-06T21:30:35Z",
  "published": "2026-07-06T09:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43865"
    },
    {
      "type": "WEB",
      "url": "https://camel.apache.org/security/CVE-2026-43865.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/05/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWX6-VMJ4-5RV8

Vulnerability from github – Published: 2019-10-25 19:42 – Updated: 2021-08-18 22:04
VLAI
Summary
Denial of service via deserialization attack in nifi
Details

A vulnerability found in Apache NIFI before 1.5.0-RC1. Attacker can perform XXE attacks through JAXB.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi:nifi-framework-cluster-protocol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-15703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-10-25T17:13:19Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A vulnerability found in Apache NIFI before 1.5.0-RC1. Attacker can perform XXE attacks through JAXB.",
  "id": "GHSA-xwx6-vmj4-5rv8",
  "modified": "2021-08-18T22:04:41Z",
  "published": "2019-10-25T19:42:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi/commit/9e2c7be7d3c6a380c5f61074d9a5a690b617c3dc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of service via deserialization attack in nifi"
}

GHSA-XX24-9F8Q-XH6X

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

Re-Logic Terraria before 1.4.2.3 performs Insecure Deserialization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-24T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Re-Logic Terraria before 1.4.2.3 performs Insecure Deserialization.",
  "id": "GHSA-xx24-9f8q-xh6x",
  "modified": "2022-05-24T19:03:06Z",
  "published": "2022-05-24T19:03:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32075"
    },
    {
      "type": "WEB",
      "url": "https://store.steampowered.com/news/app/105600/view/3062989030626131236"
    },
    {
      "type": "WEB",
      "url": "https://terraria.fandom.com/wiki/1.4.2.3"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/relogicgames"
    },
    {
      "type": "WEB",
      "url": "https://vuln.ryotak.me/advisories/42"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XX5F-QGCW-MF6J

Vulnerability from github – Published: 2024-03-27 06:30 – Updated: 2026-04-28 21:34
VLAI
Details

Deserialization of Untrusted Data vulnerability in Echo Plugins Knowledge Base for Documentation, FAQs with AI Assistance.This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: from n/a through 11.30.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-27T06:15:17Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Echo Plugins Knowledge Base for Documentation, FAQs with AI Assistance.This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: from n/a through 11.30.2.",
  "id": "GHSA-xx5f-qgcw-mf6j",
  "modified": "2026-04-28T21:34:17Z",
  "published": "2024-03-27T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24842"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/echo-knowledge-base/wordpress-knowledge-base-for-documentation-faqs-with-ai-assistance-plugin-11-30-2-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.