SYM_CS_0028 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using SoapFormatter for deserialization is insecure because it can execute malicious code embedded in untrusted input. Even if the data source appears safe, SoapFormatter cannot be made secure and should not be used.
Impact
If exploited, an attacker could send specially crafted SOAP data to execute arbitrary code on your server, leading to data breaches, server takeover, or further internal attacks. This could result in severe compromise of application integrity and organizational security.