SYM_RB_0011 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The code deserializes user-supplied input (such as from params or cookies) using functions like Marshal.load, CSV.load, or Oj.load. This lets attackers send crafted data that, when loaded, could execute malicious code.
Impact
If exploited, an attacker could execute arbitrary code on your server, potentially leading to data theft, system compromise, or full takeover of the application environment. This poses a critical risk to both user data and infrastructure.