Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using jsonpickle.decode() on data from untrusted sources can allow attackers to execute arbitrary code during deserialization. This happens because jsonpickle can reconstruct complex Python objects, including those that may run code on load.
Impact#
If exploited, attackers could craft malicious input that, when decoded, runs their code on your server. This could lead to data theft, system compromise, or full remote control of your application, putting sensitive data and infrastructure at risk.