Deserialization of Untrusted Data
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using .NET Remoting with BinaryServerFormatterSinkProvider and setting TypeFilterLevel to ‘Full’ or ‘Low’ allows unsafe deserialization of untrusted data. This setting makes your application vulnerable to malicious code execution during the deserialization process.
Impact#
An attacker could exploit this to execute arbitrary code on the server, potentially leading to full system compromise, data theft, or service disruption. This puts both application data and infrastructure at significant risk.