Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The code deserializes user-supplied input (such as from params or cookies) using functions like Marshal.load, CSV.load, or Oj.load. This lets attackers send crafted data that, when loaded, could execute malicious code.
Impact#
If exploited, an attacker could execute arbitrary code on your server, potentially leading to data theft, system compromise, or full takeover of the application environment. This poses a critical risk to both user data and infrastructure.