SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-502 Unsafe Deserialization

Coverage: 9 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 8Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged code that deserializes untrusted data using unsafe APIs. This usually means the input can construct complex objects, not just "data", and those objects can trigger dangerous behavior when loaded.

Why it matters

Unsafe deserialization can lead to code execution.

Safer examples

1) Prefer JSON + strict schema validation

import json

data = json.loads(payload)  # then validate shape/types

2) Avoid native object deserialization for untrusted inputs

Avoid patterns like Java native serialization, Python pickle, Ruby Marshal, .NET BinaryFormatter, etc. for data coming from users, webhooks, or network.

3) If you must deserialize, constrain it hard

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.