SYM_CS_0029 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Implementing a custom DataContractResolver can be risky if you are not fully controlling what data types are being deserialized. Allowing untrusted or unknown types can let attackers supply malicious objects that trigger unexpected behavior during deserialization.
Impact
If exploited, an attacker could inject specially crafted data that leads to remote code execution, data tampering, or denial of service. This can compromise application integrity, expose sensitive information, and potentially allow full system compromise.