| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Avoid using cPickle, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Avoid using dill, which uses pickle, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Using Python’s shelve module is risky because it relies on pickle for serialization, which can execute arbitrary code if given malicious input. If your application loads data from untrusted sources using shelve, attackers could exploit this to run harmful code.
If exploited, an attacker could gain control over the server or access sensitive data by executing arbitrary code during deserialization. This could lead to data breaches, system compromise, or further attacks within your environment.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Using ruamel.yaml.YAML() with typ=‘unsafe’ or typ=‘base’ allows loading YAML files that can instantiate arbitrary Python objects. This means untrusted YAML input could trigger unintended code execution in your application.
If exploited, an attacker could craft a malicious YAML file to execute arbitrary code on your server, potentially leading to data theft, service disruption, or a complete system compromise. This exposes your application and infrastructure to significant security risks.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Using PyYAML’s yaml.load or yaml.unsafe_load (with Loader like Loader, UnsafeLoader, or CLoader) to parse YAML is unsafe, as it can execute arbitrary code embedded in YAML input. Always use yaml.safe_load or SafeLoader to prevent code execution risks.
If exploited, an attacker could craft malicious YAML input that executes arbitrary Python code on your server, leading to data theft, malware installation, or complete system compromise. This puts both application data and infrastructure at serious risk.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Using jsonpickle.decode() on data from untrusted sources can allow attackers to execute arbitrary code during deserialization. This happens because jsonpickle can reconstruct complex Python objects, including those that may run code on load.
If exploited, attackers could craft malicious input that, when decoded, runs their code on your server. This could lead to data theft, system compromise, or full remote control of your application, putting sensitive data and infrastructure at risk.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Deserializing data using Python’s pickle (or similar modules) with untrusted input can allow attackers to execute arbitrary code. This is because pickle is not safe for loading data received from users or external sources.
If exploited, an attacker could craft malicious serialized data that, when processed by pickle, runs their own code on your server. This could lead to data theft, service disruption, unauthorized access, or full system compromise.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
The code uses insecure deserialization libraries (like pickle or yaml.load) within a Flask route, which can allow attackers to execute arbitrary code if untrusted user input is deserialized. Avoid passing user data to these functions and use safer alternatives like JSON for serialization.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
The code uses insecure deserialization functions like pickle, cPickle, dill, shelve, or unsafe yaml loaders to process data that may come from user input. These libraries can execute arbitrary code during deserialization, making it unsafe to use them with untrusted data.
If exploited, an attacker could craft malicious input that, when deserialized, runs arbitrary code on the server. This could lead to full system compromise, data theft, or service disruption, severely impacting the application’s security and reliability.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Using YAML.load on untrusted input in Ruby can allow attackers to execute arbitrary code or load dangerous objects. This happens because YAML.load will deserialize and instantiate any Ruby objects present in the input, making it unsafe for user-supplied data.
If exploited, an attacker could run malicious code on your server, potentially leading to data theft, system compromise, or a complete takeover of your application. This vulnerability puts both your application and its users at severe risk.