Insecure deserialization

What is insecure deserialization?

Insecure deserialization is a cybersecurity vulnerability that occurs when an application converts untrusted data into an object without proper validation.

In programming, an object is a unit of code that groups related data and the actions that can be performed on that data.

Applications often rebuild objects from data they receive. If that data has been changed or tampered with, the application may reconstruct an object that behaves in unexpected or unsafe ways. In some cases, this can trigger actions that were never intended, including running harmful code.

Insecure deserialization often affects web applications that frequently exchange serialized data between clients, servers, and APIs.

How does insecure deserialization work?

Serialization converts an object into a format such as JSON, XML, or binary so it can be stored or transmitted. Deserialization reverses this process and rebuilds the data into an object within an application.

Insecure deserialization occurs when an application rebuilds objects from untrusted data without proper validation. A typical process looks like this:

1. Serialization: The application stores or sends serialized data.
2. Manipulation: An attacker modifies that data.
3. Deserialization: The application rebuilds the object without verifying the data.
4. Impact: The reconstructed object triggers unintended behavior.

This happens when the application assumes incoming data is safe and does not verify its integrity or origin.

Common causes include:

• Processing serialized data from user input, cookies, or external sources without validation.
• Not verifying whether the data has been changed.
• Using deserialization methods that automatically run code when objects are rebuilt.
• Weak security controls across systems that exchange serialized data.

Risks and security impact

Insecure deserialization can lead to several types of attacks:

• Remote code execution: Execution of attacker-controlled commands on the server.
• Privilege escalation: Gaining higher access levels than intended.
• Authentication bypass: Enables access without valid credentials.
• Data tampering or deletion: Unauthorized modification or removal of stored data.
• Denial of service (DoS): Disruption of application availability.

A simple example involves a web application that stores user session data in a serialized cookie. If that data is modified and not verified, the application may reconstruct the object with elevated permissions and grant unauthorized access.

How is insecure deserialization prevented?

Prevention focuses on reducing trust in incoming data and limiting how deserialization is used.

Common prevention measures include:

• Avoiding deserialization of untrusted data where possible.
• Using simpler data formats like JSON that do not allow code to run during processing.
• Avoiding model file formats and loading methods that rely on unsafe deserialization, such as Python pickle-based workflows sometimes used for .pth or .pt files, in favor of safer alternatives like .safetensors, which is designed for data storage without executing arbitrary code when loaded.
• Validating or signing data to verify integrity before processing.
• Restricting deserialization to known, approved object types.
• Keeping libraries and dependencies updated.

Further reading

• What is cybersecurity? A simple guide for beginners
• Privilege escalation explained: Types of attacks and prevention
• Cybersecurity vulnerabilities explained