Deserialization of Untrusted Data
Deserialising attacker-controlled bytes into native objects, letting the attacker construct unexpected types that trigger code execution via magic methods.
GateTest coverage
Caught by: security
Example
pickle.loads(request.body) in Python — Pickle is trivially exploitable; the loaded object can execute arbitrary code.
How to fix it
Don't accept serialised native objects from the network. Use JSON for data interchange. If you must deserialise, use schemas (Avro, Protobuf with explicit types) and validate.
Scan your repo for CWE-502
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-502 (Deserialization of Untrusted Data)?
Deserialising attacker-controlled bytes into native objects, letting the attacker construct unexpected types that trigger code execution via magic methods.
How do I fix deserialization of untrusted data?
Don't accept serialised native objects from the network. Use JSON for data interchange. If you must deserialise, use schemas (Avro, Protobuf with explicit types) and validate.
Does GateTest detect deserialization of untrusted data?
Yes — GateTest's security module catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Deserialization of Untrusted Data in the CWE Top 25?
Deserialization of Untrusted Data is ranked #15 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).