Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CWE-502 (可信数据的反序列化) — Vulnerability Class 1716

1716 vulnerabilities classified as CWE-502 (可信数据的反序列化). AI Chinese analysis included.

CWE-502 represents a critical security weakness where applications deserialize untrusted data without validating its integrity or structure. Attackers typically exploit this vulnerability by crafting malicious serialized objects that, when processed by the application, trigger unintended code execution or logic flaws. This often leads to remote code execution, denial of service, or privilege escalation, as the deserialization process may instantiate dangerous classes or invoke unsafe methods. To mitigate this risk, developers must strictly avoid deserializing data from untrusted sources. Instead, they should implement robust input validation, use allowlists for permitted data types, or adopt safer serialization formats like JSON that do not inherently support arbitrary object instantiation. Additionally, employing cryptographic signatures to verify data authenticity before deserialization ensures that only trusted, unaltered payloads are processed, effectively neutralizing the threat of malicious object injection.

MITRE CWE Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Common Consequences (3)
IntegrityModify Application Data, Unexpected State
Attackers can modify unexpected objects or data that was assumed to be safe from modification. Deserialized data or code could be modified without using the provided accessor functions, or unexpected functions could be invoked.
AvailabilityDoS: Resource Consumption (CPU)
If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate.
OtherVaries by Context
The consequences can vary widely, because it depends on which objects or methods are being deserialized, and how they are used. Making an assumption that the code in the deserialized object is valid is dangerous and can enable exploitation. One example is attackers using gadget chains to perform una…
Mitigations (5)
Architecture and Design, ImplementationIf available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
ImplementationWhen deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
ImplementationExplicitly define a final object() to prevent deserialization.
Architecture and Design, ImplementationMake fields transient to protect them from deserialization. An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
ImplementationAvoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are…
Examples (2)
This code snippet deserializes an object from a file and uses it as a UI button:
try { File file = new File("object.obj"); ObjectInputStream in = new ObjectInputStream(new FileInputStream(file)); javax.swing.JButton button = (javax.swing.JButton) in.readObject(); in.close(); }
Bad · Java
private final void readObject(ObjectInputStream in) throws java.io.IOException { throw new java.io.IOException("Cannot be deserialized"); }
Good · Java
In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [REF-467], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token.
try { class ExampleProtocol(protocol.Protocol): def dataReceived(self, data): # Code that would be here would parse the incoming data # After receiving headers, call confirmAuth() to authenticate def confirmAuth(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if not check_hmac(token['signature'], token['data'], getSecretKey()): raise AuthFail self.secure_data = token['data'] except: raise AuthFail }
Bad · Python
CVE IDTitleCVSSSeverityPublished
CVE-2023-31058 Apache InLong: JDBC URL bypassing by adding blanks — Apache InLong 9.8 -2023-05-22
CVE-2023-32336 IBM InfoSphere Information Server code execution — InfoSphere Information Server 8.8 High2023-05-22
CVE-2023-30899 Siemens Siveillance Video Mobile Server 代码问题漏洞 — Siveillance Video 2020 R2 9.9 Critical2023-05-09
CVE-2023-30898 Siemens Siveillance Video Mobile Server 代码问题漏洞 — Siveillance Video 2020 R2 9.9 Critical2023-05-09
CVE-2023-20853 aEnrich a+HRD - Deserialization of Untrusted Data — a+HRD 9.8 Critical2023-04-27
CVE-2023-20852 aEnrich a+HRD - Deserialization of Untrusted Data — a+HRD 9.8 Critical2023-04-27
CVE-2023-2141 Unsafe .NET object deserialization affecting DELMIA Apriso Release 2017 through Release 2022 — DELMIA Apriso 8.5 High2023-04-21
CVE-2023-2042 DataGear JDBC Server deserialization — DataGear 6.3 Medium2023-04-14
CVE-2023-29216 Apache Linkis DatasourceManager module has a deserialization command execution — Apache Linkis 9.8 -2023-04-10
CVE-2023-29215 Apache Linkis JDBC EngineCon has a deserialization command execution — Apache Linkis 9.8 -2023-04-10
CVE-2023-29006 Order GLPI plugin vulnerable to remote code execution from authenticated user — order 8.8 High2023-04-05
CVE-2023-20102 Cisco Secure Network Analytics Remote Code Execution Vulnerability — Cisco Secure Network Analytics 8.8 High2023-04-05
CVE-2022-2561 OPC Labs QuickOPC 代码问题漏洞 — QuickOPC 7.8 -2023-03-29
CVE-2022-28685 AVEVA Edge 代码问题漏洞 — Edge 7.8 -2023-03-29
CVE-2022-36971 Ivanti Avalanche 代码问题漏洞 — Avalanche 9.8 -2023-03-29
CVE-2022-36974 Ivanti Avalanche 代码问题漏洞 — Avalanche 9.8 -2023-03-29
CVE-2022-36977 Ivanti Avalanche 代码问题漏洞 — Avalanche 9.8 -2023-03-29
CVE-2022-36978 Ivanti Avalanche 代码问题漏洞 — Avalanche 9.8 -2023-03-29
CVE-2023-1399 Keysight Technologies N6854A Geolocation server 代码问题漏洞 — N6854A Geolocation Server 7.8 High2023-03-27
CVE-2023-1145 Delta Electronics InfraSuite Device Master 代码问题漏洞 — InfraSuite Device Master 7.8 High2023-03-27
CVE-2023-27296 Apache InLong: JDBC Deserialization Vulnerability in InLong — Apache InLong 8.8 -2023-03-27
CVE-2023-26359 Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution — ColdFusion 9.8 Critical2023-03-23
CVE-2023-27978 Schneider Electric IGSS Data Server代码问题漏洞 — IGSS Data Server(IGSSdataServer.exe) 7.8 High2023-03-21
CVE-2023-28115 Snappy vulnerable to PHAR deserialization, allowing remote code execution — snappy 9.8 Critical2023-03-17
CVE-2023-26464 Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender — Apache Log4j 7.5 -2023-03-10
CVE-2023-23638 Apache Dubbo Deserialization Vulnerability Gadgets Bypass — Apache Dubbo 5.0 Medium2023-03-08
CVE-2022-23535 LiteDB contains Deserialization of Untrusted Data — LiteDB 7.3 High2023-02-24
CVE-2023-0960 SeaCMS Picture Management config.ftp.php deserialization — SeaCMS 4.7 Medium2023-02-22
CVE-2022-48282 Deserializing compromised object with MongoDB .NET/C# Driver may cause remote code execution — MongoDB .NET/C# Driver 6.6 Medium2023-02-21
CVE-2022-47986 IBM Aspera Faspex code execution — Aspera Faspex 9.8 Critical2023-02-17

Vulnerabilities classified as CWE-502 (可信数据的反序列化) represent 1716 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.