Deserialization of Untrusted Data
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using the LosFormatter class for deserializing data is insecure because it can execute malicious code if untrusted or manipulated input is processed. Even if you trust the data source, LosFormatter cannot be made safe and should not be used.
Impact#
If exploited, an attacker could supply crafted input that allows them to execute arbitrary code on your server, potentially leading to data theft, system compromise, or a full takeover of the application. This poses significant risks to both the application’s integrity and the organization’s security.