CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4795 vulnerabilities reference this CWE, most recent first.
GHSA-F6HM-88X3-MFJV
Vulnerability from github – Published: 2021-03-22 23:29 – Updated: 2022-02-08 21:32Impact
The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
Patches
If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Workarounds
See workarounds for the different versions covering all CVEs.
References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-21349.
Credits
The vulnerability was discovered and reported by threedr3am.
For more information
If you have any questions or comments about this advisory: * Open an issue in XStream * Contact us at XStream Google Group
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.thoughtworks.xstream:xstream"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21349"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-22T23:26:25Z",
"nvd_published_at": "2021-03-23T00:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream\u0027s documentation for [CVE-2021-21349](https://x-stream.github.io/CVE-2021-21349.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)",
"id": "GHSA-f6hm-88x3-mfjv",
"modified": "2022-02-08T21:32:19Z",
"published": "2021-03-22T23:29:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21349"
},
{
"type": "PACKAGE",
"url": "https://github.com/x-stream/xstream"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210430-0002"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://x-stream.github.io/CVE-2021-21349.html"
},
{
"type": "WEB",
"url": "https://x-stream.github.io/security.html#workaround"
},
{
"type": "WEB",
"url": "http://x-stream.github.io/changes.html#1.4.16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host"
}
GHSA-F6PF-7QX7-FG5M
Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2025-02-18 18:33This vulnerability allows remote attackers to execute arbitrary code on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of APP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17212.
{
"affected": [],
"aliases": [
"CVE-2022-28685"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T19:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of AVEVA Edge 2020 SP2 Patch 0(4201.2111.1802.0000). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of APP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17212.",
"id": "GHSA-f6pf-7qx7-fg5m",
"modified": "2025-02-18T18:33:00Z",
"published": "2023-03-29T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28685"
},
{
"type": "WEB",
"url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1124"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F74J-GFFQ-VM9P
Vulnerability from github – Published: 2025-10-17 18:08 – Updated: 2025-10-17 21:32Description
In the FlightServer class of the pyquokka framework, the do_action() method directly uses pickle.loads() to deserialize action bodies received from Flight clients without any sanitization or validation, which results in a remote code execution vulnerability. The vulnerable code is located in pyquokka/flight.py at line 283, where arbitrary data from Flight clients is directly passed to pickle.loads().
Even more concerning, when FlightServer is configured to listen on 0.0.0.0 (as shown in the provided server example at line 339), this allows attackers across the entire network to perform arbitrary remote code execution by sending malicious pickled payloads through the set_configs action.
In addition, the functions cache_garbage_collect, do_put, and do_get also contain vulnerability points where pickle.loads is used to deserialize untrusted remote data. Please review and fix these issues accordingly. This report uses the set_configs action as an example.
Proof of Concept
- Step 1: The victim user starts a FlightServer that binds to the network interface, e.g.:
server = FlightServer("0.0.0.0", location = "grpc+tcp://0.0.0.0:5005")
server.serve()
````
* Step 2:
The attacker can then send malicious pickle dump data through the Flight client connection. The provided PoC demonstrates how an attacker can execute "ls -l" command:
```python
class RCE:
def __reduce__(self):
import os
return (os.system, ('ls -l',))
import pickle
action_body = pickle.dumps(RCE())
action = pyarrow.flight.Action("set_configs", action_body)
When the server receives this payload, the FlightServer.do_action() method calls pickle.loads(action.body.to_pybytes()) on line 283, which triggers the execution of the malicious code through Python's pickle deserialization mechanism. The provided flight_client.py demonstrates a complete PoC that connects to the vulnerable server and executes arbitrary commands through the pickle deserialization vulnerability.
When the vulnerability is reproduced, python flight.py can be run to init the server and then run flight_client.py. There is an attack demo in the attachment.
Impact
Remote code execution on the victim's machine over the network. Once the victim starts the FlightServer with network binding (especially 0.0.0.0), an attacker on the network can gain arbitrary code execution by connecting to the Flight endpoint and sending crafted pickle payloads through the set_configs action. This vulnerability allows for:
- Complete system compromise
- Data exfiltration
- Lateral movement within the network
- Denial of service attacks
- Installation of persistent backdoors
Mitigation
- Replace unsafe deserialization: Replace
pickle.loads()with safer alternatives such as: - JSON serialization for simple data structures
- Protocol Buffers or MessagePack for complex data
-
If pickle must be used, implement a custom
Unpicklerwith a restrictedfind_class()method that only allows whitelisted classes -
Network security:
- If the service is intended for internal use only, bind to localhost (
127.0.0.1) instead of0.0.0.0 -
Implement authentication and authorization mechanisms
-
Security warnings: When starting the service on public interfaces, display clear security warnings to inform users about the risks.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyquokka"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62515"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-17T18:08:09Z",
"nvd_published_at": "2025-10-17T21:15:36Z",
"severity": "CRITICAL"
},
"details": "### Description\n\nIn the FlightServer class\u00a0of the pyquokka framework, the\u00a0do_action()\u00a0method\u00a0directly uses\u00a0pickle.loads()\u00a0to deserialize action\u00a0bodies received\u00a0from Flight clients without any sanitization or validation, which results in a remote code execution vulnerability. The vulnerable code is located in\u00a0pyquokka/flight.py\u00a0at\u00a0line 283, where arbitrary data from Flight clients\u00a0is directly passed\u00a0to\u00a0pickle.loads().\n\nEven\u00a0more concerning, when FlightServer is configured to listen on\u00a00.0.0.0\u00a0(as shown\u00a0in the provided server example at line\u00a0339), this allows attackers across the entire network to perform arbitrary remote code execution\u00a0by sending malicious pickled payloads through the\u00a0set_configs\u00a0action.\n\nIn addition, the functions cache_garbage_collect, do_put, and do_get also contain vulnerability points where pickle.loads is used to deserialize untrusted remote data. Please review and fix these issues accordingly. This report uses the set_configs action as an example.\n\n\n### Proof of Concept\n\n* Step 1:\nThe victim user\u00a0starts a FlightServer that binds to the network interface, e.g.:\n```\nserver\u00a0=\u00a0FlightServer(\"0.0.0.0\",\u00a0location\u00a0=\u00a0\"grpc+tcp://0.0.0.0:5005\")\nserver.serve()\n````\n* Step 2:\nThe attacker can then send malicious pickle dump data through\u00a0the Flight client connection. The provided PoC demonstrates how an attacker can execute \"ls -l\" command:\n\n```python\nclass RCE:\ndef __reduce__(self):\nimport os\nreturn (os.system, (\u0027ls -l\u0027,))\n\nimport pickle\naction_body = pickle.dumps(RCE())\naction = pyarrow.flight.Action(\"set_configs\", action_body)\n```\n\nWhen the\u00a0server receives this payload, the\u00a0FlightServer.do_action()\u00a0method calls\u00a0pickle.loads(action.body.to_pybytes())\u00a0on line 283,\u00a0which triggers the execution\u00a0of the malicious code through Python\u0027s pickle deserialization mechanism. The provided\u00a0flight_client.py\u00a0demonstrates a complete\u00a0PoC that connects to the vulnerable server and executes arbitrary commands through\u00a0the pickle deserialization vulnerability.\n\nWhen the vulnerability is reproduced, python flight.py can be run to init the server and then run flight_client.py. There is an attack demo in the attachment.\n\n### Impact\n\nRemote code execution on the\u00a0victim\u0027s machine over the network. Once the victim starts\u00a0the FlightServer with network binding (especially\u00a00.0.0.0), an attacker on\u00a0the network\u00a0can gain arbitrary code execution by connecting to the Flight endpoint\u00a0and sending crafted pickle payloads through the\u00a0set_configs\u00a0action. This vulnerability allows\u00a0for:\n\n- Complete system compromise\n- Data exfiltration\n- Lateral movement within the network\n- Denial of service attacks\n- Installation of persistent backdoors\n\n### Mitigation\n\n1. **Replace unsafe deserialization**: Replace `pickle.loads()` with safer alternatives such as:\n - JSON serialization for simple data structures\n - Protocol Buffers or MessagePack for complex data\n - If pickle must be used, implement a custom `Unpickler` with a restricted `find_class()` method that only allows whitelisted classes\n\n2. **Network security**: \n - If the service is intended for internal use only, bind to localhost (`127.0.0.1`) instead of `0.0.0.0`\n - Implement authentication and authorization mechanisms\n\n3. **Security warnings**: When starting the service on public interfaces, display clear security warnings to inform users about the risks.",
"id": "GHSA-f74j-gffq-vm9p",
"modified": "2025-10-17T21:32:52Z",
"published": "2025-10-17T18:08:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/marsupialtail/quokka/security/advisories/GHSA-f74j-gffq-vm9p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62515"
},
{
"type": "PACKAGE",
"url": "https://github.com/marsupialtail/quokka"
},
{
"type": "WEB",
"url": "https://github.com/marsupialtail/quokka/blob/master/pyquokka/flight.py#L283"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer "
}
GHSA-F755-XP6R-8Q84
Vulnerability from github – Published: 2026-07-06 09:30 – Updated: 2026-07-06 21:30Deserialization of Untrusted Data vulnerability in Apache Camel, Apache Camel JMS component.
JmsBinding.extractBodyFromJms() in camel-jms - and the equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject() whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer. The CVE-2026-40860 hardening added a post-deserialization class check that rejects classes outside the default allow-list java.;javax.;org.apache.camel.;!*. However org.apache.camel.support.DefaultExchangeHolder itself lives in the allow-listed org.apache.camel. namespace, so an ObjectMessage whose top-level object is a DefaultExchangeHolder passes the check. The receiving side then calls DefaultExchangeHolder.unmarshal() on it without requiring the transferExchange option to be enabled - an asymmetric trust boundary, since the sending side gates ObjectMessage and transferExchange handling but the receiving side did not - writing every non-null field of the holder into the Exchange: the message body, the IN and OUT headers, the exchange properties, the variables, the exchange id and the exception. An attacker who can publish an ObjectMessage to a queue or topic consumed by an affected Camel application can therefore inject arbitrary Exchange state using only universally-trusted java.lang and java.util types, with no deserialization gadget chain required, to manipulate routing and headers, exchange properties and error handling. The same handling applies to camel-sjms and camel-sjms2, and to the JMS-family components built on JmsComponent and JmsBinding: camel-amqp, camel-activemq and camel-activemq6. This is a bypass of the CVE-2026-40860 fix rather than a flaw in it. This issue affects Apache Camel: from 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0; Apache Camel: from 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, JMS ObjectMessage handling is disabled by default in camel-jms, camel-sjms and the JMS-family components (a new objectMessageEnabled option defaults to false at the component and endpoint level), so an incoming ObjectMessage - including a DefaultExchangeHolder payload - is no longer deserialized unless the option is explicitly enabled; only set objectMessageEnabled=true when the consumed JMS destination is fed exclusively by trusted producers. For deployments that cannot upgrade immediately, restrict publish access to the queues and topics consumed by Camel to trusted producers via JMS broker authorization, and do not expose JMS consumers that map ObjectMessage bodies to untrusted networks; a JMS-provider deserialization allow-list does not mitigate this specific bypass because the crafted payload uses only universally-trusted classes.
{
"affected": [],
"aliases": [
"CVE-2026-43866"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T09:16:35Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in Apache Camel, Apache Camel JMS component.\n\nJmsBinding.extractBodyFromJms() in camel-jms - and the equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject() whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer. The CVE-2026-40860 hardening added a post-deserialization class check that rejects classes outside the default allow-list java.**;javax.**;org.apache.camel.**;!*. However org.apache.camel.support.DefaultExchangeHolder itself lives in the allow-listed org.apache.camel.** namespace, so an ObjectMessage whose top-level object is a DefaultExchangeHolder passes the check. The receiving side then calls DefaultExchangeHolder.unmarshal() on it without requiring the transferExchange option to be enabled - an asymmetric trust boundary, since the sending side gates ObjectMessage and transferExchange handling but the receiving side did not - writing every non-null field of the holder into the Exchange: the message body, the IN and OUT headers, the exchange properties, the variables, the exchange id and the exception. An attacker who can publish an ObjectMessage to a queue or topic consumed by an affected Camel application can therefore inject arbitrary Exchange state using only universally-trusted java.lang and java.util types, with no deserialization gadget chain required, to manipulate routing and headers, exchange properties and error handling. The same handling applies to camel-sjms and camel-sjms2, and to the JMS-family components built on JmsComponent and JmsBinding: camel-amqp, camel-activemq and camel-activemq6. This is a bypass of the CVE-2026-40860 fix rather than a flaw in it.\nThis issue affects Apache Camel: from 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0; Apache Camel: from 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, JMS ObjectMessage handling is disabled by default in camel-jms, camel-sjms and the JMS-family components (a new objectMessageEnabled option defaults to false at the component and endpoint level), so an incoming ObjectMessage - including a DefaultExchangeHolder payload - is no longer deserialized unless the option is explicitly enabled; only set objectMessageEnabled=true when the consumed JMS destination is fed exclusively by trusted producers. For deployments that cannot upgrade immediately, restrict publish access to the queues and topics consumed by Camel to trusted producers via JMS broker authorization, and do not expose JMS consumers that map ObjectMessage bodies to untrusted networks; a JMS-provider deserialization allow-list does not mitigate this specific bypass because the crafted payload uses only universally-trusted classes.",
"id": "GHSA-f755-xp6r-8q84",
"modified": "2026-07-06T21:30:35Z",
"published": "2026-07-06T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43866"
},
{
"type": "WEB",
"url": "https://camel.apache.org/security/CVE-2026-43866.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F765-52VQ-524G
Vulnerability from github – Published: 2025-01-15 00:30 – Updated: 2025-02-03 18:30MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField.
{
"affected": [],
"aliases": [
"CVE-2024-57763"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-15T00:15:34Z",
"severity": "CRITICAL"
},
"details": "MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField.",
"id": "GHSA-f765-52vq-524g",
"modified": "2025-02-03T18:30:39Z",
"published": "2025-01-15T00:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57763"
},
{
"type": "WEB",
"url": "https://gitee.com/wanglingxiao/mysiteforme/issues/IBFVFD"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F786-9C63-8XR8
Vulnerability from github – Published: 2026-04-24 12:30 – Updated: 2026-05-05 00:06Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.
This issue affects Apache DolphinScheduler:
Version >= 3.2.0 and < 3.3.1.
Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes. Users are recommended to upgrade to version [3.3.1], which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.dolphinscheduler:dolphinscheduler"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.dolphinscheduler:dolphinscheduler-rpc"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62233"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T00:06:35Z",
"nvd_published_at": "2026-04-24T11:16:21Z",
"severity": "MODERATE"
},
"details": "Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.\n\nThis issue affects Apache DolphinScheduler:\u00a0\n\nVersion \u003e= 3.2.0 and \u003c 3.3.1.\n\nAttackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.\nUsers are recommended to upgrade to version [3.3.1], which fixes the issue.",
"id": "GHSA-f786-9c63-8xr8",
"modified": "2026-05-05T00:06:35Z",
"published": "2026-04-24T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62233"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/dolphinscheduler"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/24/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Apache DolphinScheduler RPC module has a Deserialization of Untrusted Data vulnerability"
}
GHSA-F79R-3FCG-P98X
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files that bypass picklescan detection and achieve code execution upon deserialization.
{
"affected": [],
"aliases": [
"CVE-2025-71374"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:16:51Z",
"severity": "HIGH"
},
"details": "picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files that bypass picklescan detection and achieve code execution upon deserialization.",
"id": "GHSA-f79r-3fcg-p98x",
"modified": "2026-07-01T00:34:02Z",
"published": "2026-07-01T00:34:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x696-vm39-cp64"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71374"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-undetected-profile-profile-run"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F7G9-GQXR-PMV7
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2024-12-12 03:33GFI Archiver Core Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is required to exploit this vulnerability.
The specific flaw exists within the Core Service, which listens on TCP port 8017 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24029.
{
"affected": [],
"aliases": [
"CVE-2024-11947"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T01:40:21Z",
"severity": "HIGH"
},
"details": "GFI Archiver Core Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the Core Service, which listens on TCP port 8017 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24029.",
"id": "GHSA-f7g9-gqxr-pmv7",
"modified": "2024-12-12T03:33:02Z",
"published": "2024-12-12T03:33:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11947"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1670"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F7VH-QWP3-X37M
Vulnerability from github – Published: 2022-01-19 00:01 – Updated: 2022-11-25 17:19CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Users are advised to migrate from log4j:log4j to org.apache.logging.log4j:log4j for an updated version of the library.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "log4j:log4j"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.zenframework.z8.dependencies.commons:log4j-1.2.17"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23307"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-20T22:48:35Z",
"nvd_published_at": "2022-01-18T16:15:00Z",
"severity": "CRITICAL"
},
"details": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.\n\nUsers are advised to migrate from `log4j:log4j` to `org.apache.logging.log4j:log4j` for an updated version of the library.",
"id": "GHSA-f7vh-qwp3-x37m",
"modified": "2022-11-25T17:19:49Z",
"published": "2022-01-19T00:01:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/1.2/index.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Deserialization of Untrusted Data in Apache Log4j"
}
GHSA-F7VJ-73PM-M822
Vulnerability from github – Published: 2026-04-23 21:31 – Updated: 2026-04-28 21:36LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.
{
"affected": [],
"aliases": [
"CVE-2026-25874"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T20:16:13Z",
"severity": "CRITICAL"
},
"details": "LeRobot contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels without TLS in the policy server and robot client components. An unauthenticated network-reachable attacker can achieve arbitrary code execution on the server or client by sending a crafted pickle payload through the SendPolicyInstructions, SendObservations, or GetActions gRPC calls.",
"id": "GHSA-f7vj-73pm-m822",
"modified": "2026-04-28T21:36:01Z",
"published": "2026-04-23T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25874"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/lerobot/issues/3047"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/lerobot/issues/3134"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/lerobot/pull/3048"
},
{
"type": "WEB",
"url": "https://chocapikk.com/posts/2026/lerobot-pickle-rce"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/lerobot-unsafe-deserialization-remote-code-execution-via-grpc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.