保護DataHogo
Security Encyclopedia/Database Security
highCWE-502A08:2021

Unsafe Deserialization

Deserializing untrusted data with libraries like node-serialize or Python's yaml.load allows attackers to execute arbitrary code on the server.

How It Works

Serialization converts objects into a format for storage or transmission, and deserialization reverses the process. When an application deserializes data from untrusted sources without validation, an attacker can craft malicious payloads that execute code during the deserialization process. In Node.js, the node-serialize library's unserialize() function can execute JavaScript via IIFE patterns in serialized strings. In Python, yaml.load() with the default Loader can instantiate arbitrary Python objects. These vulnerabilities often lead to Remote Code Execution (RCE), the most severe category of vulnerability.

Vulnerable Code
const serialize = require('node-serialize');
app.post('/api/session', (req, res) => {
  const sessionData = serialize.unserialize(req.cookies.session);
  res.json(sessionData);
});
Secure Code
app.post('/api/session', (req, res) => {
  try {
    const sessionData = JSON.parse(req.cookies.session);
    const validated = sessionSchema.parse(sessionData);
    res.json(validated);
  } catch { res.status(400).json({ error: 'Invalid session' }); }
});

Real-World Example

The 2017 Equifax breach that exposed 147 million records was partly enabled by an Apache Struts deserialization vulnerability (CVE-2017-5638). Attackers sent a crafted Content-Type header that triggered unsafe deserialization, granting remote code execution on Equifax's servers.

How to Prevent It

  • Never use node-serialize — use JSON.parse() with Zod validation instead
  • In Python, use yaml.safe_load() instead of yaml.load()
  • Never deserialize data from cookies, headers, or user input without validation
  • Implement integrity checks (HMAC signatures) on serialized data

Affected Technologies

Node.jsPythonJavaPHPGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Connection String Exposed

critical

Database connection URLs containing usernames and passwords are hardcoded in source code, making credentials accessible to anyone with repo access.

CWE-798A07:2021

Database Backup Exposed

high

Database dump files (.sql, .dump, .bak) committed to the repository expose the entire database schema and data, including user credentials and sensitive records.

CWE-538A05:2021

Raw Queries in ORMs

high

Using raw SQL methods like Prisma's $queryRaw or Sequelize's query() with string interpolation bypasses the ORM's built-in SQL injection protection.

CWE-89A03:2021

Exploitable N+1 Queries

low

Unbounded relation expansion in ORM queries allows attackers to trigger thousands of database queries with a single API request, causing denial of service.

CWE-400API4:2023