SYM_RB_0040 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Deserialization of Untrusted Data
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The code is deserializing data from the event object using methods like Marshal.load, YAML.load, or CSV.load. Deserializing untrusted user input in this way is unsafe and can let attackers execute malicious code.
Impact
If exploited, an attacker could run arbitrary code on your server, gain unauthorized access to sensitive data, or take control of the application. This could lead to data breaches, system compromise, or full takeover of your application infrastructure.