CWE-502 · Deserialization of Untrusted Data

Insecure Deserialization

CWE-502 4 case studies

Insecure deserialization occurs when an application reconstructs objects from untrusted data — typically a serialized stream from a cookie, cache, or network endpoint — without verifying the integrity or type of the data. In languages with rich object graphs (Java, PHP, Python pickle, Ruby Marshal, Node.js node-serialize), an attacker can craft a payload that triggers dangerous method calls during deserialization itself.

This class is difficult to spot in review because the dangerous operation is the deserialization call, which looks identical to safe calls from trusted sources. Reviewers must trace where the serialized data comes from and whether an attacker can control it — a data-flow question that is hard to answer just by looking at the deserialize() call site.

PullLight flags deserialization calls on data sourced from HTTP requests, databases loaded by user-controlled IDs, and external APIs, and it recognizes PHP unserialize(), Java ObjectInputStream, Python pickle.loads(), and Node.js node-serialize as high-risk sinks. The Roundcube RCE (CVE-2025-49113) is a recent example where a PHP parameter reached unserialize().

Case studies in this class

10.0

CVSS

CVE-2025-55182

RCE via Unvalidated RSC Deserialization

CVE-2025-55182 — React2Shell RCE

PHP Object Deserialization via _from Parameter

CVE-2025-49113 — Roundcube Post-Auth RCE

Path Equivalence + Unsafe Deserialization in DefaultServlet

CVE-2025-24813 — Tomcat Partial PUT RCE

RCE via Partial PUT Path Equivalence

CVE-2025-24813 — Apache Tomcat Path Equivalence RCE

tomcat

→

Frequently asked questions

What is Insecure Deserialization?

Insecure deserialization is when an application deserializes data from an untrusted source, potentially allowing attackers to manipulate serialized objects to achieve unauthorized actions, including remote code execution.

How do you prevent Insecure Deserialization?

Avoid deserializing data from untrusted sources. If you must, use a type allowlist, cryptographically sign serialized data before transmitting and verify the signature before deserializing, and prefer data formats like JSON that do not carry executable behavior.

Can AI catch Insecure Deserialization in code review?

Yes — AI review traces where serialized data originates, identifies when it can be attacker-controlled, and flags unserialize/ObjectInputStream/pickle.loads calls on that data.

Has PullLight caught real Deserialization vulnerabilities?

Yes. PullLight flagged PHP Object Deserialization in Roundcube (CVE-2025-49113, CVSS 9.9) and Unsafe Deserialization in Apache Tomcat DefaultServlet (CVE-2025-24813, CVSS 9.8) and react2shell (CVE-2025-55182, CVSS 10.0).

PullLight catches Insecure Deserialization in live code review.
Hooks into GitHub PRs automatically — flags taint flows, not just lint rules.

Try the live demo →

See an example review comment: Browse AI code review examples →