IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Learn
  3. Insecure Deserialization
Data & SerializationCritical

Insecure Deserialization

Also known as: Object Injection

Insecure Deserialization occurs when an application deserializes attacker-controllable data using a mechanism that can instantiate arbitrary objects or invoke methods during reconstruction. Depending on the language and available gadget chains, this can lead to remote code execution, authentication bypass, or data tampering.

CWE
CWE-502
OWASP
A08:2021

How it works

  1. 1The application accepts serialized objects from the client (cookies, tokens, message queues).
  2. 2It deserializes them with an unsafe deserializer that can construct arbitrary types.
  3. 3The attacker crafts a payload leveraging a gadget chain in the app's dependencies.
  4. 4Deserialization triggers the chain, executing code or altering trusted state.

Example

Signs of risk:
- Java: readObject on ObjectInputStream with untrusted bytes
- Python: pickle.loads on user data
- .NET / PHP: BinaryFormatter / unserialize on client input
Common unsafe deserialization sinks by ecosystem.

Impact

Insecure deserialization frequently yields remote code execution and is difficult to exploit blindly but severe when achievable.

Remediation

  • Never deserialize untrusted data with type-permissive deserializers.
  • Use data-only formats (JSON) with strict schemas instead of native object serialization.
  • If unavoidable, enforce type allowlists and integrity checks (signed payloads).
  • Keep dependencies patched to remove known gadget chains.

Detection & testing

Identify endpoints accepting serialized blobs; test with known gadget probes and out-of-band callbacks. Validate exploitability safely.

Impactr tests for Insecure Deserialization the way an attacker would - investigating, chaining it with related flaws, and proving impact with a reproducible exploit before it reaches your report.

Test my app for Object Injection

Tools

ImpactrysoserialBurp Suite

Frequently asked questions

Is JSON parsing vulnerable to insecure deserialization?

Plain JSON parsing into data structures is generally safe. Risk appears when a library maps JSON to arbitrary types (polymorphic deserialization) or when native binary serializers are used on untrusted input.

Related concepts

SQL Injection (SQLi)OS Command InjectionJWT Attacks
← All vulnerabilities
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub