SYM_CS_0034 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using NetDataContractSerializer for deserialization is unsafe because it can execute dangerous code if untrusted or manipulated data is processed. This serializer is fundamentally insecure, even if you believe the input is safe.
Impact
If exploited, an attacker could craft malicious data that, when deserialized, allows them to run arbitrary code, compromise sensitive data, or gain control of your application or server. This can lead to data breaches, system takeover, and significant organizational risk.