SYM_PY_0120 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code uses insecure deserialization libraries (like pickle or yaml.load) within a Flask route, which can allow attackers to execute arbitrary code if untrusted user input is deserialized. Avoid passing user data to these functions and use safer alternatives like JSON for serialization.
Impact
If exploited, an attacker could run malicious code on your server, leading to data theft, server compromise, or full control over the application. This can result in data breaches, service disruption, or further attacks on your organization’s infrastructure.