Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using Python’s shelve module is risky because it relies on pickle for serialization, which can execute arbitrary code if given malicious input. If your application loads data from untrusted sources using shelve, attackers could exploit this to run harmful code.
Impact#
If exploited, an attacker could gain control over the server or access sensitive data by executing arbitrary code during deserialization. This could lead to data breaches, system compromise, or further attacks within your environment.