SYM_JAVA_0055 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A8:2017 Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description
Enabling default typing in Jackson (e.g., with enableDefaultTyping() or certain @JsonTypeInfo annotations) exposes your application to unsafe deserialization. If user-controlled JSON is processed this way, attackers can craft payloads that instantiate unexpected classes during deserialization.
Impact
An attacker could exploit this to achieve remote code execution, letting them run arbitrary code on your server. This can lead to full system compromise, data theft, service disruption, or further attacks against your infrastructure.