Deserialization of Untrusted Data
| Property | |
|---|---|
| Language | clojure |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
Using Clojure’s core read-string function to process untrusted input is dangerous because it can execute arbitrary code during deserialization. Instead, use edn/read-string, which safely parses data without code execution risks.
Impact#
If exploited, an attacker could send crafted input that triggers code execution on your server, potentially leading to data breaches, unauthorized access, or full system compromise. This could result in loss of sensitive data and damage to the application’s reliability and trust.