Deserialization Vulnerability
Deserialization is the process of converting stored or transmitted data (like JSON, YAML, or binary formats) back into objects your application can use. A deserialization vulnerability occurs when this process can be exploited to execute arbitrary code — by crafting malicious serialized data that, when deserialized, triggers dangerous operations like JNDI lookups, shell commands, or object instantiation chains.
Why deserialization leads to RCE
When your application deserializes data, it's reconstructing objects. If the deserialization library doesn't restrict what types of objects can be created, an attacker can craft data that causes the library to instantiate dangerous classes — classes that execute code in their constructors or magic methods.
Java is particularly susceptible because its native serialization supports arbitrary class instantiation. The concept of a "gadget chain" — a series of class instantiations that ultimately execute a shell command — has been discovered in Commons Collections, Spring, and dozens of other Java libraries.
Real deserialization CVEs
- Log4Shell (CVE-2021-44228) — JNDI deserialization via log message. CVSS 10.0.
- SnakeYAML (CVE-2022-1471) — arbitrary Java class instantiation via YAML. CISA KEV.
- Jackson Databind — polymorphic deserialization gadget chains. Multiple CVEs.
- PyYAML (CVE-2020-14343) — Python object instantiation via yaml.load(). CISA KEV.
- PHP unserialize() — PHP object injection via native serialization.
The fix
Never deserialize data from untrusted sources using native serialization or unrestricted YAML/object loaders. Use safe alternatives: yaml.safe_load() in Python, new Yaml(new SafeConstructor()) in Java, JSON instead of pickle, explicit type allowlists in Jackson.
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser