SYM_PY_0065 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using Python's marshal module to load or unmarshal data from untrusted sources is unsafe, as it does not validate or secure the input. Attackers can craft malicious data that, when unmarshaled, can corrupt the program or execute arbitrary code.
Impact
If exploited, this vulnerability could let attackers execute arbitrary Python code, compromise sensitive data, or disrupt application logic, leading to a full system compromise or data breach. Applications processing untrusted input with marshal are especially at risk.