SYM_PY_0117 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Deserializing data using Python's pickle (or similar modules) with untrusted input can allow attackers to execute arbitrary code. This is because pickle is not safe for loading data received from users or external sources.
Impact
If exploited, an attacker could craft malicious serialized data that, when processed by pickle, runs their own code on your server. This could lead to data theft, service disruption, unauthorized access, or full system compromise.