What is Insecure Deserialization?
Insecure deserialization occurs when an application deserializes untrusted data without validation, potentially allowing attackers to manipulate objects, escalate privileges, or execute arbitrary code.
- 1.Definition
- 2.How Deserialization Attacks Work
- 3.Affected Contexts
- 4.Prevention
- 5.Insecure Deserialization and Autonomous Code Governance
Definition
Insecure deserialization is a vulnerability that occurs when an application deserializes data from an untrusted source without sufficient validation. Serialization converts an object to a transmittable format (JSON, XML, binary). Deserialization reconstructs the object from that format. When the input to deserialization is attacker-controlled and the application does not validate it, the reconstructed objects may have attacker-defined properties, leading to object manipulation, authentication bypass, or in severe cases, remote code execution.
OWASP placed insecure deserialization in the Top 10 2017 and it appears under "Software and Data Integrity Failures" in the 2021 edition. It is harder to exploit than injection vulnerabilities but often leads to more severe outcomes.
How Deserialization Attacks Work
The severity of a deserialization attack depends on what the application does with the deserialized object and which deserialization library is in use. Common attack patterns:
Object manipulation
The attacker crafts a serialized payload that produces an object with modified properties — an isAdmin field set to true, a userId changed to a target account. If the application trusts the deserialized object without re-validating its fields, the attacker gains unauthorized access.
Magic method exploitation
Many languages invoke special methods automatically during deserialization (__wakeup in PHP, readObject in Java). If these methods perform unsafe operations (file access, system calls, database queries) with attacker-controlled data, they become an attack vector. This is the basis of most Java deserialization gadget chain attacks.
Remote code execution via gadget chains
In Java, .NET, PHP, and Ruby, attackers can construct chains of existing library methods ("gadgets") that, when deserialized, execute arbitrary system commands. These are among the most severe application vulnerabilities because exploitation requires only the ability to send a payload to a deserialization endpoint.
Affected Contexts
- Java applications using ObjectInputStream with untrusted data
- PHP applications using unserialize() on user-supplied input
- .NET applications using BinaryFormatter or NetDataContractSerializer
- Python applications using pickle.loads() on untrusted data
- Any application that stores serialized objects in cookies, tokens, or API parameters
Prevention
Avoid deserializing untrusted data
The most effective defense is not deserializing data from untrusted sources at all. Use safer data formats (JSON with schema validation) instead of native serialization formats for data that crosses trust boundaries.
Integrity checking
If serialized data must be transmitted, sign it with a secret key (HMAC) before transmission and verify the signature before deserialization. An attacker who cannot forge the signature cannot tamper with the payload.
Use safe deserializers
Prefer deserializers that do not instantiate arbitrary objects — JSON parsers that map to a fixed schema are safer than native binary serialization formats that reconstruct full object graphs.
Deserialization filters
Java 9+ supports deserialization filters that allowlist acceptable classes. This prevents gadget chain attacks by refusing to deserialize unexpected types.
| Language/Format | Risk Level | Primary Attack | Safer Alternative |
|---|---|---|---|
| Java ObjectInputStream | Critical | Gadget chain RCE | JSON with Jackson (typed binding) |
| PHP unserialize() | High | Magic method abuse, RCE | json_decode() |
| Python pickle | Critical | Arbitrary code execution | JSON or msgpack |
| .NET BinaryFormatter | High | Gadget chain RCE | System.Text.Json |
| JSON (schema-validated) | Low | Logic manipulation if schema weak | Use strict schema validation |
Insecure Deserialization and Autonomous Code Governance
Hydra detects insecure deserialization by identifying the use of unsafe deserialization APIs — Java ObjectInputStream, PHP unserialize(), Python pickle.loads(), .NET BinaryFormatter — with untrusted input. Fixes replace dangerous deserialization patterns with safer alternatives: JSON parsing with schema validation, signed payloads, or typed deserialization with allowlisted classes. The fix strategy is chosen based on the framework and usage context found in the codebase.
Frequently Asked Questions
Is JSON deserialization safe?
JSON parsing with a standard JSON library is generally safe because most parsers do not instantiate arbitrary objects. The risk re-emerges when using polymorphic deserialization features — like Jackson's default typing or GSON's RuntimeTypeAdapterFactory — which can reconstruct arbitrary types from attacker-controlled type fields. Disable default typing and use explicit, fixed-schema deserialization.
How common are deserialization attacks in practice?
Less common than injection attacks, but when they occur they are often catastrophic — leading to remote code execution on application servers. High-profile examples include the Apache Struts vulnerability exploited in the Equifax breach and numerous Java application server exploits.
Does insecure deserialization only affect server-side code?
Primarily, yes. Client-side deserialization of attacker-controlled data (in browser JavaScript) can lead to prototype pollution or logic manipulation, but the most severe gadget chain attacks require server-side execution environments.
Stop flagging. Start fixing.
Hyrax reviews your pull requests, remediates issues autonomously, and closes the ticket.
Join the waitlist