Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-502 (可信数据的反序列化) — Vulnerability Class 1687

1687 vulnerabilities classified as CWE-502 (可信数据的反序列化). AI Chinese analysis included.

CWE-502 represents a critical security weakness where applications deserialize untrusted data without validating its integrity or structure. Attackers typically exploit this vulnerability by crafting malicious serialized objects that, when processed by the application, trigger unintended code execution or logic flaws. This often leads to remote code execution, denial of service, or privilege escalation, as the deserialization process may instantiate dangerous classes or invoke unsafe methods. To mitigate this risk, developers must strictly avoid deserializing data from untrusted sources. Instead, they should implement robust input validation, use allowlists for permitted data types, or adopt safer serialization formats like JSON that do not inherently support arbitrary object instantiation. Additionally, employing cryptographic signatures to verify data authenticity before deserialization ensures that only trusted, unaltered payloads are processed, effectively neutralizing the threat of malicious object injection.

MITRE CWE Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Common Consequences (3)
IntegrityModify Application Data, Unexpected State
Attackers can modify unexpected objects or data that was assumed to be safe from modification. Deserialized data or code could be modified without using the provided accessor functions, or unexpected functions could be invoked.
AvailabilityDoS: Resource Consumption (CPU)
If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate.
OtherVaries by Context
The consequences can vary widely, because it depends on which objects or methods are being deserialized, and how they are used. Making an assumption that the code in the deserialized object is valid is dangerous and can enable exploitation. One example is attackers using gadget chains to perform una…
Mitigations (5)
Architecture and Design, ImplementationIf available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
ImplementationWhen deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
ImplementationExplicitly define a final object() to prevent deserialization.
Architecture and Design, ImplementationMake fields transient to protect them from deserialization. An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
ImplementationAvoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are…
Examples (2)
This code snippet deserializes an object from a file and uses it as a UI button:
try { File file = new File("object.obj"); ObjectInputStream in = new ObjectInputStream(new FileInputStream(file)); javax.swing.JButton button = (javax.swing.JButton) in.readObject(); in.close(); }
Bad · Java
private final void readObject(ObjectInputStream in) throws java.io.IOException { throw new java.io.IOException("Cannot be deserialized"); }
Good · Java
In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [REF-467], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token.
try { class ExampleProtocol(protocol.Protocol): def dataReceived(self, data): # Code that would be here would parse the incoming data # After receiving headers, call confirmAuth() to authenticate def confirmAuth(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if not check_hmac(token['signature'], token['data'], getSecretKey()): raise AuthFail self.secure_data = token['data'] except: raise AuthFail }
Bad · Python
CVE IDTitleCVSSSeverityPublished
CVE-2022-46366 Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input — Apache Tapestry 9.8 -2022-12-02
CVE-2022-36964 SolarWinds Platform Deserialization of Untrusted Data — SolarWinds Platform 8.8 High2022-11-29
CVE-2022-41958 Deserialization Vulnerability by yaml config input in super-xray — super-xray 7.3 High2022-11-25
CVE-2022-41875 Remote Code Execution in Optica — optica 10.0 Critical2022-11-23
CVE-2022-41922 yiisoft/yii before v1.1.27 vulnerable to Remote Code Execution if the application calls `unserialize()` on arbitrary user input — yii 8.1 High2022-11-23
CVE-2022-3861 Betheme <= 26.5.1.4 - Authenticated (Subscriber+) PHP Object Injection — Betheme 8.8 High2022-11-21
CVE-2022-3525 Deserialization of Untrusted Data in librenms/librenms — librenms/librenms 9.8 -2022-11-20
CVE-2022-45047 Apache MINA SSHD: Java unsafe deserialization vulnerability — Apache MINA SSHD 9.8 -2022-11-16
CVE-2022-45136 Apache Jena SDB allows arbitrary deserialisation via JDBC — Apache Jena SDB 9.8 -2022-11-14
CVE-2022-41203 SAP BusinessObjects BI Platform 代码问题漏洞 — SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) 8.8 -2022-11-08
CVE-2022-3536 Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization — Role Based Pricing for WooCommerce 8.8 -2022-11-07
CVE-2022-43567 Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts feature — Splunk Enterprise 8.8 High2022-11-04
CVE-2022-39379 Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration) — fluentd 3.1 Low2022-11-02
CVE-2022-41779 Delta Electronics InfraSuite Device Master 代码问题漏洞 — InfraSuite Device Master 8.8 High2022-10-31
CVE-2022-38142 Delta Electronics InfraSuite Device Master 代码问题漏洞 — InfraSuite Device Master 9.8 Critical2022-10-31
CVE-2022-3334 Easy WP SMTP < 1.5.0 - Admin+ PHP Objection Injection — Easy WP SMTP 7.2 -2022-10-31
CVE-2022-3357 Smart Slider 3 < 3.5.1.11 - PHP Object Injection — Smart Slider 3 9.8 -2022-10-31
CVE-2022-3360 LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API — LearnPress – WordPress LMS Plugin 8.1 -2022-10-31
CVE-2022-3366 PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection — PublishPress Capabilities – User Role Access, Editor Permissions, Admin Menus 7.2 -2022-10-31
CVE-2022-3374 Ocean Extra < 2.0.5 - Admin+ PHP Objection Injection — Ocean Extra 7.2 -2022-10-31
CVE-2022-3380 Customizer Export/Import < 0.9.5 - Admin+ PHP Objection Injection — Customizer Export/Import 7.2 -2022-10-31
CVE-2022-40238 A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5 — VINCE - The Vulnerability Information and Coordination Environment 8.0 -2022-10-26
CVE-2022-3335 Kadence WooCommerce Email Designer < 1.5.7 - Admin+ PHP Objection Injection — Kadence WooCommerce Email Designer 7.2 -2022-10-25
CVE-2022-38108 SolarWinds Platform Deserialization of Untrusted Data — SolarWinds Platform 7.2 High2022-10-20
CVE-2022-36958 SolarWinds Platform Deserialization of Untrusted Data — SolarWinds Platform 8.8 High2022-10-20
CVE-2022-36957 SolarWinds Platform Deserialization of Untrusted Data — SolarWinds Platform 7.2 High2022-10-20
CVE-2022-23734 Deserialization of Untrusted Data vulnerability in GitHub Enterprise Server leading to Remote Code Execution — GitHub Enterprise Server 8.8 -2022-10-19
CVE-2022-39198 Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass — Apache Dubbo 9.8 -2022-10-18
CVE-2022-39311 Compromised agents may be able to execute remote code on GoCD Server — gocd 9.1 Critical2022-10-14
CVE-2022-39297 Deserialization of untrusted data in MelisCms — melis-cms 7.7 High2022-10-12

Vulnerabilities classified as CWE-502 (可信数据的反序列化) represent 1687 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.