What Deserialization Risk Is
Deserialization rebuilds in memory objects from a byte stream or text. When that stream is attacker controlled and the format supports rich type information, an attacker can craft a payload that instantiates dangerous objects, triggers unintended methods during reconstruction, or tampers with application state.
Why It Leads To Code Execution
- Some native serialization formats invoke callbacks while reconstructing objects, which can be chained into a gadget chain that ends in command execution.
- Even without code execution, deserialized data can carry forged fields that bypass checks, leading to privilege escalation or object injection.
Defenses
- Prefer simple data only formats like JSON parsed into known structures, avoiding native object serialization for untrusted input.
- If you must deserialize objects, enforce a strict type allowlist so only expected classes can be created.
- Add integrity protection such as a signature so tampered payloads are rejected before parsing.
- Run deserialization with least privilege and validate the resulting fields.
Key idea
Never deserialize untrusted data into rich native objects; use data only formats, allowlist expected types, and verify integrity before parsing.