SYM_CS_0031 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using fastJSON with the $type extension and disabling BadListTypeChecking allows deserialization of data types specified by the input, which can be dangerous if accepting JSON from untrusted sources. This can let attackers control what objects get created during deserialization.
Impact
If exploited, an attacker could craft malicious JSON to instantiate unexpected or dangerous objects, potentially leading to arbitrary code execution, data tampering, or full system compromise. This threatens the security and integrity of your application and any connected systems.