CWE-502: Deserialization of Untrusted Data
Also known as: Marshaling/Marshalling, Unmarshaling/Unmarshalling, Pickling, Unpickling, PHP Object Injection
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Last updated
Overview
CWE-502 (Deserialization of Untrusted Data) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred ("serialization"), then extracting the serialized data to reconstruct the original object ("deserialization").
Real-world CVEs
2,227 recorded CVEs are caused by CWE-502 (Deserialization of Untrusted Data), including 68 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 608 new CWE-502 CVEs have been recorded so far in 2026 (635 in 2025).
- CVE-2025-26399CISA KEV
SolarWinds Web Help Desk Deserialization of Untrusted Data Privilege Escalation Vulnerability
Critical · CVSS 10.0 · EPSS 100th2025-09-23 - CVE-2025-53690CISA KEV
Sitecore Products ViewState Deserialization Vulnerability
Critical · CVSS 10.0 · EPSS 98th2025-09-03 - CVE-2025-24813CISA KEV
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Critical · CVSS 10.0 · EPSS 100th2025-03-10 - CVE-2025-23006CISA KEVCritical · CVSS 10.0 · EPSS 98th2025-01-23
- CVE-2023-46604CISA KEV
Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack
Critical · CVSS 10.0 · EPSS 100th2023-10-27 - CVE-2023-40044CISA KEV
WS_FTP Server Ad Hoc Transfer Module .NET Deserialization Vulnerability
Critical · CVSS 10.0 · EPSS 100th2023-09-27 - CVE-2023-26359CISA KEV
Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution
Critical · CVSS 10.0 · EPSS 97th2023-03-23 - CVE-2023-0669CISA KEV
Fortra GoAnywhere MFT License Response Servlet Command Injection
Critical · CVSS 10.0 · EPSS 100th2023-02-06 - CVE-2021-44228CISA KEV
Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints
Critical · CVSS 10.0 · EPSS 100th2021-12-10 - CVE-2021-39144CISA KEV
XStream is vulnerable to a Remote Command Execution attack
Critical · CVSS 10.0 · EPSS 100th2021-08-23 - CVE-2021-27852CISA KEVCritical · CVSS 10.0 · EPSS 98th2021-05-27
- CVE-2020-7961CISA KEVCritical · CVSS 10.0 · EPSS 100th2020-03-20
Showing 12 of 2,227 recorded CWE-502 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-502 vulnerabilitiesCommon consequences
What can happen when CWE-502 is exploited.
Modify Application Data, Unexpected State
Affects: Integrity
Attackers can modify unexpected objects or data that was assumed to be safe from modification. Deserialized data or code could be modified without using the provided accessor functions, or unexpected functions could be invoked.
DoS: Resource Consumption (CPU)
Affects: Availability
If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate.
Varies by Context
Affects: Other
The consequences can vary widely, because it depends on which objects or methods are being deserialized, and how they are used. Making an assumption that the code in the deserialized object is valid is dangerous and can enable exploitation. One example is attackers using gadget chains to perform unauthorized actions, such as generating a shell.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
Technologies
How to prevent it
Practical mitigations for CWE-502, grouped by where in the lifecycle they apply.
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Explicitly define a final object() to prevent deserialization.
Make fields transient to protect them from deserialization.
An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
Effectiveness: Moderate — An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code snippet deserializes an object from a file and uses it as a UI button:
Vulnerable example
try {Safe example
private final void readObject(ObjectInputStream in) throws java.io.IOException {In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [REF-467], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token.
Vulnerable example
try {Unfortunately, the code does not verify that the incoming data is legitimate. An attacker can construct a illegitimate, serialized object "AuthToken" that instantiates one of Python's subprocesses to execute arbitrary commands. For instance,the attacker could construct a pickle that leverages Python's subprocess module, which spawns new processes and includes a number of arguments for various uses. Since Pickle allows objects to define the process for how they should be unpickled, the attacker can direct the unpickle process to call Popen in the subprocess module and execute /bin/sh.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2015-4852CISA KEV— Deserialization issue in commonly-used Java library allows remote execution.
- CVE-2024-37052 — insecure deserialization in platform for managing AI/ML applications and models allows code execution via a crafted pickled object in a model file
- CVE-2024-37288 — deserialization of untrusted YAML data in dashboard for data query and visualization of Elasticsearch data
- CVE-2024-9314 — PHP object injection in WordPress plugin for AI-based SEO
- CVE-2019-12799 — chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183)
- CVE-2015-8103 — Deserialization issue in commonly-used Java library allows remote execution.
- CVE-2013-1465 — Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
- CVE-2012-3527 — Use of PHP unserialize function on untrusted input in content management system might allow code execution.
- CVE-2012-0911 — Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
- CVE-2012-0911 — Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
- CVE-2011-2520 — Python script allows local users to execute code via pickled data.
- CVE-2012-4406 — Unsafe deserialization using pickle in a Python script.
- CVE-2003-0791 — Web browser allows execution of native methods via a crafted string to a JavaScript function that deserializes the string.
Terminology & mappings
Alternate terms
- Marshaling/Marshalling, Unmarshaling/Unmarshalling
- Marshaling and unmarshaling are effectively synonyms for serialization and deserialization, respectively.
- Pickling, Unpickling
- In Python, the "pickle" functionality is used to perform serialization and deserialization.
- PHP Object Injection
- Some PHP application researchers use this term when attacking unsafe use of the unserialize() function; but it is also used for CWE-915.
Mapped taxonomies
- CLASP: Deserialization of untrusted data
- The CERT Oracle Secure Coding Standard for Java (2011): Do not deviate from the proper signatures of serialization methods (SER01-J)
- The CERT Oracle Secure Coding Standard for Java (2011): Do not serialize unencrypted, sensitive data (SER03-J)
- The CERT Oracle Secure Coding Standard for Java (2011): Make defensive copies of private mutable components during deserialization (SER06-J)
- The CERT Oracle Secure Coding Standard for Java (2011): Do not use the default serialized form for implementation defined invariants (SER08-J)
- Software Fault Patterns: Tainted input to variable (SFP25)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-502.
- What is CWE-502?
- The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
- What CVEs are caused by CWE-502?
- 2,227 recorded CVEs are attributed to CWE-502, including CVE-2025-26399, CVE-2025-53690, CVE-2025-24813. 68 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-502?
- If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
- How is CWE-502 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-502?
- Exploiting CWE-502 can lead to: Modify Application Data, Unexpected State, DoS: Resource Consumption (CPU), Varies by Context.
- Is CWE-502 actively exploited?
- Yes. 68 CWE-502 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 2,227 recorded CVEs.
References
- MITRE CWE definition (CWE-502) (opens in a new tab)
- CWE-502 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-502
Get alerted the moment a new CWE-502 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.