appsec.fyi

Insecure Deserialization Resources

Post Share

A curated AppSec resource library covering XSS, SQLi, SSRF, IDOR, RCE, XXE, OSINT, and more.

Insecure Deserialization

Insecure deserialization vulnerabilities occur when applications reconstruct objects from serialized data without proper validation, potentially allowing attackers to execute arbitrary code, bypass authentication, or manipulate application logic. These vulnerabilities affect virtually every major programming language: Java (ObjectInputStream, ysoserial gadget chains), PHP (unserialize), Python (pickle, PyYAML), .NET (BinaryFormatter, Json.NET with TypeNameHandling), and Ruby (Marshal). Deserialization attacks are particularly dangerous because they often achieve remote code execution with a single crafted payload. The exploitation landscape includes gadget chain discovery, polyglot payloads that work across libraries, and attacks against message queues, caching layers, and session management systems that serialize user-controlled data. Defenses include avoiding native serialization for untrusted data, using safe alternatives like JSON, implementing allowlists for deserialized types, and integrity checking serialized objects.

Date Added Link Excerpt
2026-04-22 NEW 2026picoCTF Super Serial Writeup: PHP Object Injection Explained ClearlypicoCTF Super Serial Writeup: PHP Object Injection Explained Clearly
2026-04-22 NEW 2026Deep Dive into Fastjson Deserialization VulnerabilitiesDeep Dive into Fastjson Deserialization Vulnerabilities
2026-04-22 NEW 2026CVE-2025-24813 PoC: Apache Tomcat Java DeserializationCVE-2025-24813 PoC: Apache Tomcat Java Deserialization
2026-04-22 NEW 2026WSUS Deserialization Exploit in the Wild (CVE-2025-59287)WSUS Deserialization Exploit in the Wild (CVE-2025-59287)
2026-04-22 NEW 2026Precise and Effective Gadget Chain Mining through Deserialization-Guided Call Graph Construction (USENIX Security 2025)Precise and Effective Gadget Chain Mining through Deserialization-Guided Call Graph Construction (USENIX Security 2025)
2026-04-22 NEW 2026Gleipner: A Benchmark for Gadget Chain Detection in Java Deserialization VulnerabilitiesGleipner: A Benchmark for Gadget Chain Detection in Java Deserialization Vulnerabilities
2026-04-19 NEW 2026IBM webMethods Integration CVE-2025-36072: Deserialization RCEIBM webMethods Integration CVE-2025-36072: Deserialization RCE
2026-04-19 NEW 2026Deserialization Vulnerability — Exploit-DB PaperDeserialization Vulnerability — Exploit-DB Paper
2026-04-19 NEW 2026Cisco ISE Insecure Java Deserialization — Cisco DocsCisco ISE Insecure Java Deserialization — Cisco Docs
2026-04-19 NEW 2026Insecure Deserialization Vulnerabilities — AcunetixInsecure Deserialization Vulnerabilities — Acunetix
2026-04-19 NEW 2026Cisco ISE Insecure Java Deserialization (CVE-2025-20124)Cisco ISE Insecure Java Deserialization (CVE-2025-20124)
2026-04-17 NEW 2026CVE-2023-34040: Spring-Kafka Java DeserializationCVE-2023-34040: Spring-Kafka Java Deserialization
2026-04-17 NEW 2026Apache Struts vulnerability leads to RCEApache Struts vulnerability leads to RCE
2026-04-17 NEW 2026Jackson deserialization vulnerability exploit (3 gadgets, GitHub)Jackson deserialization vulnerability exploit (3 gadgets, GitHub)
2026-04-17 NEW 2026Apache Struts2 Code Execution Exploit (Infopercept)Apache Struts2 Code Execution Exploit (Infopercept)
2026-04-17 NEW 2026Spring-web Java Deserialization: CVE-2016-1000027 (Contrast)Spring-web Java Deserialization: CVE-2016-1000027 (Contrast)
2026-04-17 NEW 2026Exploiting Apache Struts: Writing Better Detections (Gigamon)Exploiting Apache Struts: Writing Better Detections (Gigamon)
2026-04-17 NEW 2026Friday the 13th JSON Attacks (Black Hat)Friday the 13th JSON Attacks (Black Hat)
2026-04-17 NEW 2026PayloadsAllTheThings: Insecure Deserialization DotNETPayloadsAllTheThings: Insecure Deserialization DotNET
2026-04-17 NEW 2026Basic .Net deserialization ObjectDataProvider gadget (HackTricks)Basic .Net deserialization ObjectDataProvider gadget (HackTricks)
2026-04-17 NEW 2026Python-Pickle-RCE-Exploit + vulnerable Flask App (GitHub)Python-Pickle-RCE-Exploit + vulnerable Flask App (GitHub)
2026-04-17 NEW 2026SOUR PICKLE: Insecure Deserialization with Python PickleSOUR PICKLE: Insecure Deserialization with Python Pickle
2026-04-17 NEW 2026PayloadsAllTheThings: Insecure Deserialization PythonPayloadsAllTheThings: Insecure Deserialization Python
2026-04-17 NEW 2026Pickle Code Execution Exploitation (Dhound)Pickle Code Execution Exploitation (Dhound)
2026-04-17 NEW 2026Python-socketio: Pickle deserialization RCE advisoryPython-socketio: Pickle deserialization RCE advisory
2026-04-17 NEW 2026Exploiting deserialization in recent Java versions (OWASP Stuttgart)Exploiting deserialization in recent Java versions (OWASP Stuttgart)
2026-04-17 NEW 2026Automated Discovery of Deserialization Gadget Chains (Black Hat)Automated Discovery of Deserialization Gadget Chains (Black Hat)
2026-04-17 NEW 2026Prevent insecure deserialization attacks (Veracode)Prevent insecure deserialization attacks (Veracode)
2026-04-17 NEW 2026Understanding Insecure Deserialization: Risks and MitigationsUnderstanding Insecure Deserialization: Risks and Mitigations
2026-04-17 NEW 2026Bug Bounty Hunting: Insecure DeserializationBug Bounty Hunting: Insecure Deserialization
2026-04-17 NEW 2026Insecure Deserialization - Attack Technique (vuln.today)Insecure Deserialization - Attack Technique (vuln.today)
2026-04-16 NEW 2026Depickling, Gadgets, and Chains: The Exploit That Unraveled EquifaxDepickling, Gadgets, and Chains: The Exploit That Unraveled Equifax
2026-04-16 NEW 2026How to Exploit PHAR Deserialization VulnerabilityHow to Exploit PHAR Deserialization Vulnerability
2026-04-16 NEW 2026Insecure Reflection Practices in Java and C#Insecure Reflection Practices in Java and C#
2026-04-16 NEW 2026Java Deserialization Tricks - SynacktivJava Deserialization Tricks - Synacktiv
2026-04-16 NEW 2026Deep Dive into .NET ViewState DeserializationDeep Dive into .NET ViewState Deserialization
2026-04-16 NEW 2026ViewState Deserialization Zero-Day in Sitecore (CVE-2025-53690)ViewState Deserialization Zero-Day in Sitecore (CVE-2025-53690)
2026-04-16 NEW 2026The Art of Hide and Seek: Pickle-Based Model Supply Chain PoisoningThe Art of Hide and Seek: Pickle-Based Model Supply Chain Poisoning
2026-04-10 2026Insecure Deserialization: Risks, Examples, and Best PracticesInsecure Deserialization: Risks, Examples, and Best Practices
2026-04-10 2026Deserialization Gadget Chain DefinitionDeserialization Gadget Chain Definition
2026-04-10 2026CVE-2026-20963: SharePoint Deserialization RCE AnalysisCVE-2026-20963: SharePoint Deserialization RCE Analysis
2026-04-10 2026SharePoint Zero-Day CVE-2025-53770 Actively ExploitedSharePoint Zero-Day CVE-2025-53770 Actively Exploited
2026-04-10 2026SolarWinds Web Help Desk Deserialization VulnerabilitySolarWinds Web Help Desk Deserialization Vulnerability
2026-04-10 2026SnakeYAML Deserialization Deep Dive (CVE-2022-1471)SnakeYAML Deserialization Deep Dive (CVE-2022-1471)
2026-04-10 2026Docling RCE via PyYAML (CVE-2026-24009)Docling RCE via PyYAML (CVE-2026-24009)
2026-04-10 2026PyTorch Users at Risk: 3 Zero-Day PickleScan VulnerabilitiesPyTorch Users at Risk: 3 Zero-Day PickleScan Vulnerabilities
2026-04-10 2026PickleBall: Secure Deserialization of Pickle-based ML ModelsPickleBall: Secure Deserialization of Pickle-based ML Models
2026-04-10 2026CVE-2026-33728: dd-trace-java Unsafe Deserialization in RMICVE-2026-33728: dd-trace-java Unsafe Deserialization in RMI
2026-04-10 2026CVE-2026-33439: OpenAM Pre-Auth RCE via DeserializationCVE-2026-33439: OpenAM Pre-Auth RCE via Deserialization
2026-04-10 2026PayloadsAllTheThings - Ruby Deserialization PayloadsPayloadsAllTheThings - Ruby Deserialization Payloads
2026-04-10 2026Ruby Vulnerabilities: Exploiting Open, Send, and DeserializationRuby Vulnerabilities: Exploiting Open, Send, and Deserialization
2026-04-10 2026Java Deserialization Gadget Chains ExplainedJava Deserialization Gadget Chains Explained
2026-04-10 2026Deserialization Gadget Chains in Android: An In-Depth StudyDeserialization Gadget Chains in Android: An In-Depth Study
2026-04-10 2026What Actually Is a Deserialization Gadget Chain?What Actually Is a Deserialization Gadget Chain?
2026-04-10 2026ysoserial: Java Deserialization Payload Generatorysoserial: Java Deserialization Payload Generator
2026-04-10 2026ysoserial.net: Deserialization Payload Generator for .NETysoserial.net: Deserialization Payload Generator for .NET
2026-04-10 2026The Anatomy of Deserialization AttacksThe Anatomy of Deserialization Attacks
2026-04-10 2026Marshal Madness: A Brief History of Ruby Deserialization ExploitsMarshal Madness: A Brief History of Ruby Deserialization Exploits
2026-04-10 2026Deserialization Attacks: How Exploiting Data Formats Can Break SecurityDeserialization Attacks: How Exploiting Data Formats Can Break Security
2026-04-10 2026DELMIA Apriso Insecure Deserialization Exploited in the Wild (CVE-2025-5086)DELMIA Apriso Insecure Deserialization Exploited in the Wild (CVE-2025-5086)
2026-04-10 2026PayloadsAllTheThings - PHP Deserialization PayloadsPayloadsAllTheThings - PHP Deserialization Payloads
2026-04-10 2026Exploiting PHP Deserialization with POP ChainsExploiting PHP Deserialization with POP Chains
2026-04-10 2026What is PHP Object Injection? An In-Depth GuideWhat is PHP Object Injection? An In-Depth Guide
2026-04-10 2026PHP Object Injection ResearchPHP Object Injection Research
2026-04-10 2026.NET Deserialization Cheat Sheet.NET Deserialization Cheat Sheet
2026-04-10 2026BinaryFormatter Deserialization Security Guide for .NETBinaryFormatter Deserialization Security Guide for .NET
2026-04-10 2026Microsoft SharePoint Deserialization RCE (CVE-2026-26114)Microsoft SharePoint Deserialization RCE (CVE-2026-26114)
2026-04-10 2026.NET JSON.NET Deserialization RCE.NET JSON.NET Deserialization RCE
2026-04-10 2026Deserialization Bugs in the WildDeserialization Bugs in the Wild
2026-04-10 2026Insecure Deserialization in Python: A Complete GuideInsecure Deserialization in Python: A Complete Guide
2026-04-10 2026Security in Python Deserialization: Safe Pickle Alternatives 2025Security in Python Deserialization: Safe Pickle Alternatives 2025
2026-04-10 2026Exposing 4 Critical Vulnerabilities in Python PicklescanExposing 4 Critical Vulnerabilities in Python Picklescan
2026-04-10 2026Breaking Pickle: RCE Through Python DeserializationBreaking Pickle: RCE Through Python Deserialization
2026-04-10 2026Pickle Deserialization in ML Pipelines: The RCE That Won't Go AwayPickle Deserialization in ML Pipelines: The RCE That Won't Go Away
2026-04-10 2026Insecure Deserialization Tutorial and ExamplesInsecure Deserialization Tutorial and Examples
2026-04-10 2026An In-depth Study of Java Deserialization RCE ExploitsAn In-depth Study of Java Deserialization RCE Exploits
2026-04-10 2026OWASP Deserialization Cheat SheetOWASP Deserialization Cheat Sheet
2026-04-10 2026Deserialization Vulnerabilities in JavaDeserialization Vulnerabilities in Java
2026-04-10 2026Java Deserialization Cheat SheetJava Deserialization Cheat Sheet
2026-04-10 2026Insecure Deserialization in Web ApplicationsInsecure Deserialization in Web Applications
2026-04-10 2026CVE-2026-25769: Wazuh Critical RCE via Unsafe DeserializationCVE-2026-25769: Wazuh Critical RCE via Unsafe Deserialization
2026-04-10 2026U-Office Force Critical RCE via Insecure Deserialization (CVE-2026-3422)U-Office Force Critical RCE via Insecure Deserialization (CVE-2026-3422)
2026-04-10 2026IBM Langflow Desktop RCE via Insecure DeserializationIBM Langflow Desktop RCE via Insecure Deserialization
2026-04-06 2026Remote Code Execution (RCE) Prevention - SecPortalRemote Code Execution (RCE) Prevention - SecPortal
2026-04-06 2026CVE-2025-12305: Shiyi-blog RCE via DeserializationCVE-2025-12305: Shiyi-blog RCE via Deserialization
2026-04-06 2026CVE-2025-34153: Hyland OnBase RCE via DeserializationCVE-2025-34153: Hyland OnBase RCE via Deserialization
2026-04-06 2026CVE-2025-42928: SAP jConnect RCE via DeserializationCVE-2025-42928: SAP jConnect RCE via Deserialization
2026-04-06 2026Insecure Deserialization Guide - SecPortalInsecure Deserialization Guide - SecPortal
2026-04-03 2026Unsafe Deserialization in Ruby | SecureFlagUnsafe Deserialization in Ruby | SecureFlag
2026-04-03 2026Analyzing Prerequisites of Known Deserialization Vulnerabilities on Java ApplicationsAnalyzing Prerequisites of Known Deserialization Vulnerabilities on Java Applications
2026-04-03 2026Insecure Deserialization: The Vulnerability That Gives Attackers RCEInsecure Deserialization: The Vulnerability That Gives Attackers RCE
2026-04-03 2026Lab: Exploiting Ruby Deserialization Using a Documented Gadget Chain | PortSwiggerLab: Exploiting Ruby Deserialization Using a Documented Gadget Chain | PortSwigger
2026-04-03 2026Ruby 2.x Universal RCE Deserialization Gadget Chain | elttamRuby 2.x Universal RCE Deserialization Gadget Chain | elttam
2026-04-03 2026Insecure Deserialization Explained with ExamplesInsecure Deserialization Explained with Examples
2026-04-03 2026Now You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits | Google CloudNow You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits | Google Cloud
2026-04-03 2026PayloadsAllTheThings - Java Deserialization PayloadsPayloadsAllTheThings - Java Deserialization Payloads
2026-04-03 2026Insecure Deserialization | OWASPInsecure Deserialization | OWASP
2026-04-03 2026Exploiting Insecure Deserialization Vulnerabilities | PortSwiggerExploiting Insecure Deserialization Vulnerabilities | PortSwigger
2020-06-29 2020Insecure deserialization | Web Security AcademyIn this section, we'll cover what insecure deserialization is and describe how it can potentially expose websites to high-severity attacks. We'll highlight ...

Related Topics

RCE 159 resources Arbitrary code execution on remote target systems Supply Chain 100 resources Dependency, build pipeline, and package attacks Python 443 resources Security tools, scripting, and secure coding in Python XXE 88 resources XML parser exploitation for file read and SSRF
Compare: WAF vs RASP

Frequently Asked Questions

What makes deserialization vulnerabilities so dangerous?
Deserialization vulnerabilities often lead directly to remote code execution (RCE) because the deserialization process can trigger arbitrary method calls through gadget chains — sequences of existing classes whose methods chain together to execute attacker-controlled commands. A single crafted payload can compromise an entire server.
What is a gadget chain?
A gadget chain is a sequence of existing classes and methods in an application's classpath that, when triggered during deserialization, produce a dangerous side effect like code execution. Tools like ysoserial (Java), phpggc (PHP), and peas (Python) generate payloads for known gadget chains in popular libraries and frameworks.
How do you prevent insecure deserialization?
Never deserialize untrusted data using native serialization formats (Java ObjectInputStream, Python pickle, PHP unserialize). Use safe data formats like JSON for data exchange. If native serialization is required, implement strict type allowlists, integrity checks (HMAC signatures), and consider using look-ahead deserialization that validates types before instantiation.

Weekly AppSec Digest

Get new resources delivered every Monday.