Unsanitized user input in deserialization method
PreviousUnsanitized user input in Access-Control-Allow-OriginNextUnsanitized user input in deserialization method
Last updated
Last updated
Rule ID: javascript_lang_unsafe_deserialization
Applicable Languages: Javascript
Weakness ID: CWE-502
Deserializing untrusted data is a dangerous practice. This vulnerability occurs when data, especially from external sources such as request objects, is deserialized without proper sanitization. Attackers can insert malicious payloads within serialized data, compromising your application's security upon deserialization.
Avoid deserializing data that originates from untrusted sources. This helps prevent attackers from injecting malicious payloads that could jeopardize your application.
Choose data-only and language-neutral serialization formats such as JSON or XML for deserializing data. These formats are less prone to manipulation by attackers attempting to exploit the deserialization process.
To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our