Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using YAML.load on untrusted input in Ruby can allow attackers to execute arbitrary code or load dangerous objects. This happens because YAML.load will deserialize and instantiate any Ruby objects present in the input, making it unsafe for user-supplied data.
Impact#
If exploited, an attacker could run malicious code on your server, potentially leading to data theft, system compromise, or a complete takeover of your application. This vulnerability puts both your application and its users at severe risk.