Insecure Deserialization

  • Home
  • Insecure Deserialization
Why a pickle?


Insecure deserialization is a cybersecurity vulnerability that affects various programming languages, including C#, Java, PHP, Python, and others. This article explores the dangers of insecure deserialization, how it affects different languages, and how developers can mitigate the risks. Additionally, we will discuss the roles of penetration testing and source code reviews in helping companies protect themselves against insecure deserialization.

What is Insecure Deserialization?

Deserialization is the process of converting a serialized object, usually in the form of a binary or textual representation, back into its original in-memory format. Insecure deserialization occurs when an attacker manipulates serialized data to exploit vulnerabilities within an application, leading to unauthorized access, data tampering, or remote code execution.

Insecure Deserialization in Different Languages


In C#, deserialization vulnerabilities can arise when using the BinaryFormatter or NetDataContractSerializer classes, which lack built-in security mechanisms. Attackers can craft malicious input data to exploit these vulnerabilities, leading to arbitrary code execution.


Java applications commonly use the native serialization mechanism provided by the interface. This mechanism has been proven to be insecure in many cases, as attackers can craft malicious serialized objects to exploit deserialization vulnerabilities.


PHP applications often use the unserialize() function to deserialize data. If user-supplied data is passed directly to this function without proper validation and sanitization, it can lead to insecure deserialization issues, enabling attackers to execute arbitrary code or manipulate application data.


Python’s native pickle module is used for serializing and deserializing objects. However, the module is not safe for untrusted data, as it allows arbitrary code execution. Developers should be cautious when using the pickle module to deserialize untrusted data.

This is not an exhaustive list of languages or functions susceptible to insecure deserialization.

Secure Development

Use secure deserialization libraries or frameworks:

Use libraries or frameworks that provide secure deserialization mechanisms. For example, in Java, you can use the OWASP Java Object Signing (JOS) project, which provides a secure way to sign and verify serialized objects.

Validate and sanitize input data:

Always validate and sanitize user-supplied data before deserializing it. This can help prevent attackers from injecting malicious data into serialized objects.

Limit the types of deserializable objects:

Restrict the types of objects that can be deserialized to a specific set of trusted types. This can prevent an attacker from exploiting unknown or dangerous object types.

Encrypt serialized data:

Encrypt serialized data to protect it from tampering or unauthorized access. This can help ensure that only trusted parties can deserialize and access the data.

Pentests and Source Code Review

Penetration testing and source code review are essential practices to identify and remediate insecure deserialization vulnerabilities.

Penetration testing:

Penetration testers can simulate real-world attacks to identify insecure deserialization vulnerabilities in an application. By exploiting these vulnerabilities, testers can demonstrate their potential impact and help developers understand how to fix them.

Source code review:

Source code review involves analyzing an application’s source code to identify potential security vulnerabilities. Reviewers can detect insecure deserialization issues by examining how an application handles serialized data, looking for instances where user-supplied data is deserialized without proper validation or sanitization.

In the News: LastPass Breach

If you’re in the cybersecurity industry, you’ve sure seen the LastPass breach in the news. At the heart of this breach was an insecure deserialization – CVE-2020-5714. This CVE is a standard Python Pickle deserialization vulnerability that would have likely been caught in a white-box application penetration test/source code review.


Insecure deserialization is a prevalent cybersecurity vulnerability that affects multiple programming languages. By understanding the risks and implementing secure practices, developers can protect their applications from this dangerous vulnerability. Regular penetration testing and source code reviews are essential to identify and remediate insecure deserialization issues, ensuring that companies remain secure and their data stays protected.