SYM_RB_0007 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using YAML.load on untrusted input in Ruby can allow attackers to execute arbitrary code or load dangerous objects. This happens because YAML.load will deserialize and instantiate any Ruby objects present in the input, making it unsafe for user-supplied data.
Impact
If exploited, an attacker could run malicious code on your server, potentially leading to data theft, system compromise, or a complete takeover of your application. This vulnerability puts both your application and its users at severe risk.