Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

Using NetDataContractSerializer for deserialization is unsafe because it can execute dangerous code if untrusted or manipulated data is processed. This serializer is fundamentally insecure, even if you believe the input is safe.

Impact

If exploited, an attacker could craft malicious data that, when deserialized, allows them to run arbitrary code, compromise sensitive data, or gain control of your application or server. This can lead to data breaches, system takeover, and significant organizational risk.

Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

Using the LosFormatter class for deserializing data is insecure because it can execute malicious code if untrusted or manipulated input is processed. Even if you trust the data source, LosFormatter cannot be made safe and should not be used.

Impact

If exploited, an attacker could supply crafted input that allows them to execute arbitrary code on your server, potentially leading to data theft, system compromise, or a full takeover of the application. This poses significant risks to both the application’s integrity and the organization’s security.

Property
Language	csharp
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

Using FsPickler with its default settings can allow deserialization of untrusted data, which opens the door to insecure deserialization attacks. This happens because the library may execute unexpected or malicious code when handling input data.

Impact

If exploited, an attacker could send specially crafted data to execute arbitrary code, escalate privileges, or gain unauthorized access to sensitive resources on your server. This can lead to full system compromise, data breaches, or further attacks against your infrastructure.

Property
Language	java
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Low

Description

The code deserializes objects from JMS ObjectMessages without validating or restricting the incoming data. This allows untrusted data to be processed, exposing the application to insecure deserialization risks.

Impact

If an attacker sends a malicious JMS ObjectMessage, they could exploit this to execute arbitrary code within your application’s environment. This can lead to unauthorized access, data breaches, or complete system compromise, putting both application and organizational assets at risk.

Property
Language	java
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A8:2017 Insecure Deserialization
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

Enabling default typing in Jackson (e.g., with enableDefaultTyping() or certain @JsonTypeInfo annotations) exposes your application to unsafe deserialization. If user-controlled JSON is processed this way, attackers can craft payloads that instantiate unexpected classes during deserialization.

Impact

An attacker could exploit this to achieve remote code execution, letting them run arbitrary code on your server. This can lead to full system compromise, data theft, service disruption, or further attacks against your infrastructure.

Property
Language	java
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Using the default SnakeYAML Yaml() constructor without specifying a safe or custom constructor allows loading YAML files with potentially dangerous object types. This can make your application vulnerable to deserialization attacks when processing untrusted YAML input.

Impact

If exploited, an attacker could craft malicious YAML files that, when loaded, execute arbitrary code or perform unauthorized actions on your server. This could lead to data breaches, system compromise, or further attacks within your organization.

Property
Language	java
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The code deserializes Java objects from an external source using ObjectInputStream without verifying the source or integrity of the data. This allows attackers to supply crafted object streams that could execute harmful code or alter application behavior.

Impact

If exploited, an attacker could remotely run arbitrary code on the server, gain unauthorized access, or compromise sensitive data. This can lead to a full system breach, data loss, or service disruption, putting both application security and user data at serious risk.

Property
Language	java
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Passing arbitrary objects as parameters in Java RMI interfaces allows untrusted data to be deserialized, which can enable attackers to send crafted objects that exploit your system. Instead, use simple types (like IDs) and avoid deserializing objects from clients.

Impact

If exploited, an attacker could execute arbitrary code on your server, gain unauthorized access, or take control of the system. This can lead to data breaches, service disruption, or full system compromise, putting both your application and organization at serious risk.

Property
Language	java
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Passing non-primitive objects as parameters in Java RMI interfaces can expose your application to insecure deserialization. This means untrusted data could be processed, allowing attackers to send malicious objects to your server.

Impact

If exploited, an attacker could execute arbitrary code on your server, potentially gaining unauthorized access, stealing sensitive data, or taking control of your system. This can lead to severe data breaches or total compromise of the application environment.

Property
Language	java
Severity
CWE	CWE-502: Deserialization of Untrusted Data
OWASP	A08:2017 - Insecure Deserialization
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

When a Restful webservice endpoint is configured to use wildcard mediaType {/} as a value for the @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution when calling the $Y.getObject method.