SYM_PY_0183 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The code uses insecure deserialization functions like pickle, cPickle, dill, shelve, or unsafe yaml loaders to process data that may come from user input. These libraries can execute arbitrary code during deserialization, making it unsafe to use them with untrusted data.
Impact
If exploited, an attacker could craft malicious input that, when deserialized, runs arbitrary code on the server. This could lead to full system compromise, data theft, or service disruption, severely impacting the application's security and reliability.