Insecure Deserialization via ObjectInputStream
Description
Deserializing untrusted byte streams using ObjectInputStream can lead to insecure deserialization, which is a common attack vector for remote code execution (RCE).
Examples
Insecure Code
java
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(byteArray));
ois.readObject();Secure Code
java
JSONParser parser = new JSONParser();
try {
JSONObject jsonObject = (JSONObject) parser.parse(jsonString);
} catch (ParseException e) {
// Handle exception
}Remediation
Avoid deserializing arbitrary byte arrays, use a serialization format with strict schema enforcement like JSON with whitelist, validate the type before casting, or use a custom ObjectInputFilter if using Java 9+
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0110 |
| Category | Deserialization |
| Severity | MEDIUM |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | insecure-deserialization, object-input-stream |
| OWASP | N/A |