Home / Vulnerability Database / Java : Deserialization of untrusted data
Java
Java : Deserialization of untrusted data
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
OWASP MASVS
OWASP ASVS
PCI DSS 4.0
CWE/SANS Top 25 2021
Overview
Deserialization of user-controlled objects can lead to arbitrary code execution on the server.
Deserializing objects from a standard thread is insecure, because an attacker can override the contents and cause the application to execute arbitrary code. Even if you check the types after deserialization, the malicious code can already be executed, since it happens during deserialization.
MEDIUM
DerScanner Severity Score
Do you want to fix Java : Deserialization of untrusted data in your application?
See also
Java
Java : Race condition
Java
Java : Text4Shell Vulnerability
Java