Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Deserializing data using Python’s pickle (or similar modules) with untrusted input can allow attackers to execute arbitrary code. This is because pickle is not safe for loading data received from users or external sources.
Impact#
If exploited, an attacker could craft malicious serialized data that, when processed by pickle, runs their own code on your server. This could lead to data theft, service disruption, unauthorized access, or full system compromise.