Skip to content

CWE-502: Deserialization of Untrusted Data

Overview

This issue was identified during dynamic (DAST) scanning based on observed runtime behavior indicating that attacker-controlled data was deserialized into application objects without sufficient trust validation. Confirmation of the root cause requires reviewing how serialized data is processed by the application.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-502 typically indicate runtime behavior consistent with unsafe deserialization, such as:

  • Acceptance of serialized object data from untrusted sources
  • Application behavior changing based on crafted serialized input
  • Errors or responses suggesting object reconstruction from external data

Evidence is based on observed runtime effects, not on request parameters or payload syntax.

Mapping DAST Findings to Source Code

CWE-502 does not map to a specific HTTP endpoint or request parameter. The issue resides in code that deserializes data originating from untrusted sources.

When tracing this issue in code, look for:

  • Deserialization APIs capable of instantiating objects
  • Session or state restoration logic
  • Message, cache, or queue consumers that deserialize data
  • Trust decisions applied after deserialization instead of before

Remediation

Core Principle: Never allow untrusted data to be deserialized into executable or instantiable objects; all deserialization boundaries must enforce integrity and type safety before object creation.

→ For comprehensive remediation guidance, see Static CWE-502 Guidance

Language-Specific Guidance

The static guidance provides detailed remediation steps for many languages. If you need language-specific examples:

Verification and Follow-Up Testing

After applying the fix:

Verify Trust Boundaries

  • Confirm untrusted data is no longer deserialized into objects
  • Ensure deserialization occurs only on trusted, integrity-checked data

Validate Runtime Behavior

  • Verify application behavior is unaffected by crafted serialized input
  • Confirm unsafe deserialization paths are unreachable

Re-run DAST Scanner

Re-run the dynamic scanner to confirm deserialization behavior is no longer observed.

Additional Resources