Deserialization of Untrusted Data
Description
User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
Examples
Insecure Code
javascript
const serializeToJs = require('serialize-to-js'); serializeToJs.deserialize(userInput);Secure Code
javascript
const serializeToJs = require('serialize-to-js'); const safeInput = validateUserInput(userInput); serializeToJs.deserialize(safeInput);Remediation
Validate and sanitize user input before passing it to the deserialize function. Consider using a safer serialization format like JSON.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0378 |
| Category | Deserialization |
| Severity | CRITICAL |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | injection, deserialization |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |