Insecure Deserialization

Insecure deserialization occurs when applications deserialize data from untrusted sources without validation, allowing attackers to manipulate serialized objects to achieve remote code execution, privilege escalation, or denial of service. The vulnerability is particularly dangerous in Java, Python, and PHP applications that use object serialization for session management or inter-service communication.

Mitigations include integrity checks, type allowlisting, and avoiding native serialization of untrusted data.