CWE-502 Unsafe Deserialization

What this means

SiteShadow flagged code that deserializes untrusted data using unsafe APIs. This usually means the input can construct complex objects — not just "data" — and those objects can trigger dangerous behavior when loaded.

Why it matters

Unsafe deserialization can lead to code execution.

• Remote Code Execution (RCE) is a common outcome in many stacks.
• Privilege escalation: attacker-crafted objects can bypass authorization assumptions.
• Data tampering: attackers can inject fields/state your code never expected.

Safer examples

1) Prefer JSON + strict schema validation

import json

data = json.loads(payload)  # then validate shape/types

2) Avoid native object deserialization for untrusted inputs

Avoid patterns like Java native serialization, Python pickle, Ruby Marshal, .NET BinaryFormatter, etc. for data coming from users, webhooks, or network.

3) If you must deserialize, constrain it hard

• Only allow specific types
• Require signatures/integrity checks before parsing
• Treat it as high-risk and isolate/parsing sandbox where feasible

How SiteShadow detects it (high level)

• Recognizes calls to known unsafe deserialization APIs and checks whether the input is untrusted (request body, cookies, headers, network).
• Flags when deserialization results are used to control code paths, file access, or system calls.

References

• CWE-502: https://cwe.mitre.org/data/definitions/502.html

---

← Back to Vulnerability Library