Deserialization of Untrusted Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The application is deserializing data from user-controlled environment variables using methods like Marshal.load, Oj.load, or CSV.load. This allows attackers to inject malicious data that could be executed when deserialized.
Impact#
An attacker could exploit this vulnerability to execute arbitrary code on the server, potentially compromising sensitive data, gaining unauthorized access, or taking full control of the application and underlying system.