CWE-5026 advisories

Deserialization of Untrusted Data

What it is

Untrusted serialized data is deserialized into objects, which can trigger code execution or object injection.

How to fix it

Upgrade to a version that restricts deserialization; switch to a safe data format.

How to avoid it

Never deserialize untrusted input with native/object deserializers; prefer JSON with a schema.

Known Deserialization of Untrusted Data vulnerabilities

AI-HUGGINGFACE-NULLIFAI-2025 — high · AI coding/Hugging Face ML models (Pickle)
CVE-2021-44228 — critical · Maven/org.ops4j.pax.logging:pax-logging-log4j2 · exploited
CVE-2021-44228 — critical · Maven/com.guicedee.services:log4j-core · exploited
CVE-2021-44228 — critical · Maven/org.apache.logging.log4j:log4j-core · exploited
CVE-2021-44228 — critical · Maven/org.apache.logging.log4j:log4j-core · exploited
CVE-2019-18935 — critical · Web app/Insecure Deserialization · exploited

Stateward flags Deserialization of Untrusted Data in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.