保護DataHogo
Security Encyclopedia/OWASP Web Top 10
mediumCWE-502A08:2021

Data Integrity Failures

Applications that don't verify the integrity of data, software updates, or CI/CD pipelines are vulnerable to tampering — insecure deserialization and unsigned updates.

How It Works

Data integrity failures occur when code or infrastructure doesn't verify integrity. This includes deserializing untrusted data (which can lead to remote code execution), auto-updating without signature verification, or CI/CD pipelines without integrity checks. An attacker who can tamper with serialized data, dependencies, or build artifacts can inject malicious code that runs with full application privileges.

Vulnerable Code
const serialize = require('node-serialize');
app.post('/api/session', (req, res) => {
  const session = serialize.unserialize(req.body.data);
  res.json(session);
});
Secure Code
app.post('/api/session', (req, res) => {
  const data = JSON.parse(req.body.data);
  const session = sessionSchema.parse(data);
  res.json(session);
});

Real-World Example

The SolarWinds attack (2020) was a supply chain integrity failure. Attackers compromised the build pipeline to inject malware into signed software updates, affecting 18,000 organizations including US government agencies.

How to Prevent It

  • Never deserialize untrusted data with unsafe libraries
  • Use JSON.parse() with Zod validation instead of serialization libraries
  • Verify digital signatures on software updates
  • Implement integrity checks in CI/CD pipelines

Affected Technologies

Node.jsReactNext.jsPythonJavaPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Access Control

high

Users can act outside their intended permissions, accessing other users' data or admin functionality without proper authorization checks.

CWE-284A01:2021

Cryptographic Failures

high

Sensitive data is exposed due to weak or missing encryption — using outdated algorithms like MD5/SHA1, storing passwords in plaintext, or transmitting data without TLS.

CWE-327A02:2021

Supply Chain Failures

medium

Your application inherits vulnerabilities from third-party dependencies — outdated packages with known CVEs that attackers actively exploit.

CWE-1395A06:2021

Security Misconfiguration

medium

Default configurations, open CORS policies, debug mode in production, or verbose error messages expose your application to attackers.

CWE-16A05:2021