Skip to content

Untrusted or Insecure Deserialization

Preventing Security Issues in Deserialization Processes

Tackle Untrusted Deserialization Risks
Table of Contents

What is untrusted or insecure deserialization?

Serialization refers to the process of converting an object into a format which can be saved to a file or a datastore, sent through streams, or sent over a network. The format in which an object is serialized can either be binary or structured text (for example, Java, XML, JSON, YAML). Deserialization reverses the serialization process, transforming serialized data coming from a file, stream, or network socket into an object.

Insecure Deserialization (aka Untrusted Deserialization) is a web application vulnerability that enables users to pass arbitrary objects or code to a deserializer. In this kind of attack, untrusted data abuses the logic of an application to inflict a denial of service (DoS) attack, achieve authentication bypass, enable remote code execution, and even execute arbitrary code as it is being deserialized.

Applications and APIs are vulnerable to Insecure Deserialization whenever they deserialize untrusted or hostile objects supplied by an attacker. A widespread vulnerability in Java environments also leave thousands of businesses seriously exposed. To protect against this vulnerability, safe deserialization is a common software development practice.


Learn More About Contrast Security

Contrast is the clear customers’ choice

Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.


Built for Developers. Trusted by Security.


Learn Secure Code

Cross Site Scripting (XSS)


Learn about Cross site scripting (XSS) and how it affects your Java source code

SQL Injection - Java-1


Learn about SWL injection and how it affects your Java source code

Client Side Injection


Learn about client-side injection and how it can affect your source code