Unsanitized user input in deserialization method
PreviousUnsanitized user input in deserialization methodNextUnsanitized user input in dynamic HTML insertion (XSS)
Last updated
Last updated
Rule ID: javascript_express_unsafe_deserialization
Applicable Languages: Javascript
Weakness ID: CWE-502
Deserializing untrusted data exposes your application to security risks. This vulnerability arises when data, particularly from external sources like request objects, is deserialized without proper sanitization. Attackers can embed malicious code or payloads in serialized data, which can compromise your application's security upon deserialization.
Do not deserialize data from untrusted sources directly. This practice can lead to security vulnerabilities by executing malicious code embedded in the data.
Do use data-only, language-agnostic serialization formats such as JSON or XML for deserializing data. These formats are less susceptible to manipulation by attackers aiming to exploit the deserialization process.
To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our