CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4796 vulnerabilities reference this CWE, most recent first.
GHSA-WFCF-C7X5-2Q5G
Vulnerability from github – Published: 2023-01-23 15:30 – Updated: 2023-01-30 18:30The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present
{
"affected": [],
"aliases": [
"CVE-2022-4323"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-23T15:15:00Z",
"severity": "HIGH"
},
"details": "The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present",
"id": "GHSA-wfcf-c7x5-2q5g",
"modified": "2023-01-30T18:30:24Z",
"published": "2023-01-23T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4323"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/ce8027b8-9473-463e-ba80-49b3d6d16228"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WFFW-394C-6775
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2024-03-21 03:33** UNSUPPORTED WHEN ASSIGNED ** IBM InfoSphere Information Server 8.5.0.0 is affected by deserialization of untrusted data which could allow remote unauthenticated attackers to execute arbitrary code. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2020-27583"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-26T18:15:00Z",
"severity": "CRITICAL"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** IBM InfoSphere Information Server 8.5.0.0 is affected by deserialization of untrusted data which could allow remote unauthenticated attackers to execute arbitrary code. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-wffw-394c-6775",
"modified": "2024-03-21T03:33:58Z",
"published": "2022-05-24T17:40:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27583"
},
{
"type": "WEB",
"url": "https://n4nj0.github.io/advisories/ibm-infosphere-java-deserialization"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WFGQ-9F7C-XCW5
Vulnerability from github – Published: 2024-01-16 18:31 – Updated: 2025-06-11 18:35The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.
{
"affected": [],
"aliases": [
"CVE-2023-1405"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-16T16:15:10Z",
"severity": "HIGH"
},
"details": "The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.",
"id": "GHSA-wfgq-9f7c-xcw5",
"modified": "2025-06-11T18:35:38Z",
"published": "2024-01-16T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1405"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/8c727a31-ff65-4472-8191-b1becc08192a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WFJ3-V98M-R3P5
Vulnerability from github – Published: 2024-04-07 18:30 – Updated: 2026-04-28 21:34Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32.
{
"affected": [],
"aliases": [
"CVE-2024-31277"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-07T18:15:10Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32.",
"id": "GHSA-wfj3-v98m-r3p5",
"modified": "2026-04-28T21:34:31Z",
"published": "2024-04-07T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31277"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/product-designer/wordpress-product-designer-plugin-1-0-32-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WFQ2-52F7-7QVJ
Vulnerability from github – Published: 2026-01-09 20:52 – Updated: 2026-01-11 14:54Fickling's assessment
runpy was added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66).
Original report
Summary
Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS.
If a user relies on Fickling’s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system.
This affects any workflow or product that uses Fickling as a security gate for pickle deserialization.
Details
The runpy module is missing from fickling's block list of unsafe module imports in fickling/analysis.py. This is the same root cause as CVE-2025-67748 (pty) and CVE-2025-67747 (marshal/types).
Incriminated source code:
- File: fickling/analysis.py
- Class: UnsafeImports
- Issue: The blocklist does not include runpy, runpy.run_path, runpy.run_module, or runpy._run_code
Reference to similar fix:
- PR #187 added pty to the blocklist to fix CVE-2025-67748
- PR #108 documented the blocklist approach
- The same fix pattern should be applied for runpy
How the bypass works:
1. Attacker creates a pickle using runpy.run_path() in __reduce__
2. Fickling's UnsafeImports analysis does not flag runpy as dangerous
3. Only the UnusedVariables heuristic triggers, resulting in SUSPICIOUS severity
4. The pickle should be rated OVERTLY_MALICIOUS like os.system, eval, and exec
Tested behavior (fickling 0.1.6):
| Function | Fickling Severity | RCE Capable |
|---|---|---|
| os.system | LIKELY_OVERTLY_MALICIOUS | Yes |
| eval | OVERTLY_MALICIOUS | Yes |
| exec | OVERTLY_MALICIOUS | Yes |
| runpy.run_path | SUSPICIOUS | Yes ← BYPASS |
| runpy.run_module | SUSPICIOUS | Yes ← BYPASS |
Suggested fix:
Add to the unsafe imports blocklist in fickling/analysis.py:
- runpy
- runpy.run_path
- runpy.run_module
- runpy._run_code
- runpy._run_module_code
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.Environment: - Python 3.13.2 - fickling 0.1.6 (latest version, installed via pip)
Step 1: Create malicious pickle
import pickle import runpy
class MaliciousPayload: def reduce(self): return (runpy.run_path, ("/tmp/malicious_script.py",))
with open("malicious.pkl", "wb") as f: pickle.dump(MaliciousPayload(), f)
Step 2: Create the malicious script that will be executed
echo 'print("RCE ACHIEVED"); open("/tmp/pwned","w").write("compromised")' > /tmp/malicious_script.py
Step 3: Analyze with fickling
fickling --check-safety malicious.pkl
Expected output (if properly detected): Severity: OVERTLY_MALICIOUS
Actual output (bypass confirmed):
{
"severity": "SUSPICIOUS",
"analysis": "Variable _var0 is assigned value run_path(...) but unused afterward; this is suspicious and indicative of a malicious pickle file",
"detailed_results": {
"AnalysisResult": {
"UnusedVariables": ["_var0", "run_path(...)"]
}
}
}
Step 4: Prove RCE by loading the pickle
import pickle pickle.load(open("malicious.pkl", "rb"))
Check: ls /tmp/pwned <-- file exists, proving code execution
Pickle disassembly (evidence):
0: \x80 PROTO 4
2: \x95 FRAME 92
11: \x8c SHORT_BINUNICODE 'runpy' 18: \x94 MEMOIZE (as 0) 19: \x8c SHORT_BINUNICODE 'run_path' 29: \x94 MEMOIZE (as 1) 30: \x93 STACK_GLOBAL 31: \x94 MEMOIZE (as 2) 32: \x8c SHORT_BINUNICODE '/tmp/malicious_script.py' ... 100: R REDUCE 101: \x94 MEMOIZE (as 5) 102: . STOP
Impact
Vulnerability Type: Incomplete blocklist leading to safety check bypass (CWE-184) and arbitrary code execution via insecure deserialization (CWE-502).
Who is impacted: Any user or system that relies on fickling to vet pickle files for security issues before loading them. This includes:
Attack scenario: An attacker uploads a malicious ML model or pickle file to a model repository. The victim's pipeline uses fickling to scan uploads. Fickling rates the file as "SUSPICIOUS" (not "OVERTLY_MALICIOUS"), so the file is not rejected. When the victim loads the model, arbitrary code executes on their system.
Severity: HIGH
- The attacker achieves arbitrary code execution
- The security control (fickling) is specifically designed to prevent this
- The bypass requires no special conditions beyond crafting the pickle with runpy
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.6"
},
"package": {
"ecosystem": "PyPI",
"name": "fickling"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22606"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-09T20:52:40Z",
"nvd_published_at": "2026-01-10T02:15:49Z",
"severity": "HIGH"
},
"details": "# Fickling\u0027s assessment\n\n`runpy` was added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66).\n\n# Original report\n\n### Summary\nFickling versions up to and including 0.1.6 do not treat Python\u2019s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS.\n\nIf a user relies on Fickling\u2019s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system.\n\nThis affects any workflow or product that uses Fickling as a security gate for pickle deserialization.\n\n### Details\nThe `runpy` module is missing from fickling\u0027s block list of unsafe module imports in `fickling/analysis.py`. This is the same root cause as CVE-2025-67748 (pty) and CVE-2025-67747 (marshal/types).\n\nIncriminated source code:\n- File: `fickling/analysis.py`\n- Class: `UnsafeImports`\n- Issue: The blocklist does not include `runpy`, `runpy.run_path`, `runpy.run_module`, or `runpy._run_code`\n\nReference to similar fix:\n- PR #187 added `pty` to the blocklist to fix CVE-2025-67748\n- PR #108 documented the blocklist approach\n- The same fix pattern should be applied for `runpy`\n\nHow the bypass works:\n1. Attacker creates a pickle using `runpy.run_path()` in `__reduce__`\n2. Fickling\u0027s `UnsafeImports` analysis does not flag `runpy` as dangerous\n3. Only the `UnusedVariables` heuristic triggers, resulting in `SUSPICIOUS` severity\n4. The pickle should be rated `OVERTLY_MALICIOUS` like `os.system`, `eval`, and `exec`\n\nTested behavior (fickling 0.1.6):\n\n| Function | Fickling Severity | RCE Capable |\n|-------------------|----------------------------|-------------|\n| os.system | LIKELY_OVERTLY_MALICIOUS | Yes |\n| eval | OVERTLY_MALICIOUS | Yes |\n| exec | OVERTLY_MALICIOUS | Yes |\n| runpy.run_path | SUSPICIOUS | Yes \u2190 BYPASS |\n| runpy.run_module | SUSPICIOUS | Yes \u2190 BYPASS |\n\nSuggested fix:\nAdd to the unsafe imports blocklist in `fickling/analysis.py`:\n- runpy\n- runpy.run_path\n- runpy.run_module\n- runpy._run_code\n- runpy._run_module_code\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._**Environment:**\n- Python 3.13.2\n- fickling 0.1.6 (latest version, installed via pip)\n\nStep 1: Create malicious pickle\n\nimport pickle\nimport runpy\n\nclass MaliciousPayload:\n def __reduce__(self):\n return (runpy.run_path, (\"/tmp/malicious_script.py\",))\n\nwith open(\"malicious.pkl\", \"wb\") as f:\n pickle.dump(MaliciousPayload(), f)\n\nStep 2: Create the malicious script that will be executed\n\necho \u0027print(\"RCE ACHIEVED\"); open(\"/tmp/pwned\",\"w\").write(\"compromised\")\u0027 \u003e /tmp/malicious_script.py\n\nStep 3: Analyze with fickling\n\nfickling --check-safety malicious.pkl\n\nExpected output (if properly detected):\nSeverity: OVERTLY_MALICIOUS\n\nActual output (bypass confirmed):\n{\n \"severity\": \"SUSPICIOUS\",\n \"analysis\": \"Variable `_var0` is assigned value `run_path(...)` but unused afterward; this is suspicious and indicative of a malicious pickle file\",\n \"detailed_results\": {\n \"AnalysisResult\": {\n \"UnusedVariables\": [\"_var0\", \"run_path(...)\"]\n }\n }\n}\n\nStep 4: Prove RCE by loading the pickle\n\nimport pickle\npickle.load(open(\"malicious.pkl\", \"rb\"))\n# Check: ls /tmp/pwned \u003c-- file exists, proving code execution\n\nPickle disassembly (evidence):\n\n 0: \\x80 PROTO 4\n 2: \\x95 FRAME 92\n 11: \\x8c SHORT_BINUNICODE \u0027runpy\u0027\n 18: \\x94 MEMOIZE (as 0)\n 19: \\x8c SHORT_BINUNICODE \u0027run_path\u0027\n 29: \\x94 MEMOIZE (as 1)\n 30: \\x93 STACK_GLOBAL\n 31: \\x94 MEMOIZE (as 2)\n 32: \\x8c SHORT_BINUNICODE \u0027/tmp/malicious_script.py\u0027\n ...\n 100: R REDUCE\n 101: \\x94 MEMOIZE (as 5)\n 102: . STOP\n \n### Impact\n\nVulnerability Type:\nIncomplete blocklist leading to safety check bypass (CWE-184) and arbitrary code execution via insecure deserialization (CWE-502).\n\nWho is impacted:\nAny user or system that relies on fickling to vet pickle files for security issues before loading them. This includes:\n\nAttack scenario:\nAn attacker uploads a malicious ML model or pickle file to a model repository. The victim\u0027s pipeline uses fickling to scan uploads. Fickling rates the file as \"SUSPICIOUS\" (not \"OVERTLY_MALICIOUS\"), so the file is not rejected. When the victim loads the model, arbitrary code executes on their system.\n\nSeverity: HIGH\n- The attacker achieves arbitrary code execution\n- The security control (fickling) is specifically designed to prevent this\n- The bypass requires no special conditions beyond crafting the pickle with `runpy`",
"id": "GHSA-wfq2-52f7-7qvj",
"modified": "2026-01-11T14:54:44Z",
"published": "2026-01-09T20:52:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22606"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/108"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/187"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/pull/195"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66"
},
{
"type": "PACKAGE",
"url": "https://github.com/trailofbits/fickling"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.py#L87"
},
{
"type": "WEB",
"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Fickling has a bypass via runpy.run_path() and runpy.run_module()"
}
GHSA-WFW7-6632-XCV2
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2024-03-04 21:59The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in ysoserial".
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.625.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:cli"
},
"ranges": [
{
"events": [
{
"introduced": "1.626"
},
{
"fixed": "1.638"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-8103"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-09T16:32:01Z",
"nvd_published_at": "2015-11-25T20:59:00Z",
"severity": "CRITICAL"
},
"details": "The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic `webapps/ROOT/WEB-INF/lib/commons-collections-*.jar` file and the \"Groovy variant in `ysoserial`\".",
"id": "GHSA-wfw7-6632-xcv2",
"modified": "2024-03-04T21:59:33Z",
"published": "2022-05-13T01:30:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8103"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/5bd9b55a2a3249939fd78c501b8959a804c1164b"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/b4193d1132089286ebeaf9d8872c839ad473329c"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:0070"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20151225025917/http://www.securityfocus.com/bid/77636"
},
{
"type": "WEB",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/38983"
},
{
"type": "WEB",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/11/09/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/11/18/11"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/11/18/13"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/11/18/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jenkins CLI Deserialization of Untrusted Data vulnerability"
}
GHSA-WFWM-VF76-3692
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2025-10-22 00:31Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
{
"affected": [],
"aliases": [
"CVE-2019-9874"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-31T21:29:00Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.",
"id": "GHSA-wfwm-vf76-3692",
"modified": "2025-10-22T00:31:41Z",
"published": "2022-05-24T16:46:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9874"
},
{
"type": "WEB",
"url": "https://dev.sitecore.net/Downloads.aspx"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9874"
},
{
"type": "WEB",
"url": "https://www.synacktiv.com/blog.html"
},
{
"type": "WEB",
"url": "https://www.synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WG37-7MRV-CFWM
Vulnerability from github – Published: 2019-03-07 18:47 – Updated: 2022-09-14 22:45Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.jmeter:ApacheJMeter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-0187"
],
"database_specific": {
"cwe_ids": [
"CWE-327",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:00:15Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode. Note that versions before 4.0 are not able to encrypt traffic between the nodes, nor authenticate the participating nodes so upgrade to JMeter 5.1 is also advised.",
"id": "GHSA-wg37-7mrv-cfwm",
"modified": "2022-09-14T22:45:15Z",
"published": "2019-03-07T18:47:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0187"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-wg37-7mrv-cfwm"
},
{
"type": "WEB",
"url": "http://mail-archives.apache.org/mod_mbox/jmeter-user/201903.mbox/%3CCAH9fUpaUQaFbgY1Zh4OvKSL4wdvGAmVt%2Bn4fegibDoAxK5XARw%40mail.gmail.com%3E"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107219"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unauthenticated Remote Code Execution in Apache JMeter"
}
GHSA-WG3P-6Q3H-P6W7
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-13 18:30The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.
{
"affected": [],
"aliases": [
"CVE-2026-31229"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T18:16:51Z",
"severity": "CRITICAL"
},
"details": "The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component\u0027s model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.",
"id": "GHSA-wg3p-6q3h-p6w7",
"modified": "2026-05-13T18:30:46Z",
"published": "2026-05-12T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31229"
},
{
"type": "WEB",
"url": "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
},
{
"type": "WEB",
"url": "https://www.notion.so/CVE-2026-31229-35d1e13931888172863dcc20beeb6b70"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WGH2-2342-MM46
Vulnerability from github – Published: 2024-08-19 18:32 – Updated: 2024-08-19 18:32Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1.
{
"affected": [],
"aliases": [
"CVE-2024-37099"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-19T17:15:07Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1.",
"id": "GHSA-wgh2-2342-mm46",
"modified": "2024-08-19T18:32:07Z",
"published": "2024-08-19T18:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37099"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/give/wordpress-givewp-plugin-3-14-1-unauthenticated-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.