How do I fix CWE-502 (Deserialization of Untrusted Data)?

Use safe serialization formats (JSON) instead of native object serialization. If native serialization is required, implement strict type allowlists. Never deserialize data from untrusted sources without validation. Implement integrity checks (HMAC signatures) on serialized data. Isolate deserialization in sandboxed environments

Fix GuideData Integrity

How to Fix CWE-502: Deserialization of Untrusted Data

Verified by Precogs Threat Research

The application deserializes data from untrusted sources without validation, allowing attackers to inject malicious objects.

⚠️ Impact if Unpatched

Remote code execution, denial of service, authentication bypass, arbitrary object instantiation.

Step-by-Step Remediation

Use safe serialization formats (JSON) instead of native object serialization
If native serialization is required, implement strict type allowlists
Never deserialize data from untrusted sources without validation
Implement integrity checks (HMAC signatures) on serialized data
Isolate deserialization in sandboxed environments

Don't just patch one instance.

Scan your entire codebase for all instances of Deserialization of Untrusted Data.

Scan for Free with Precogs AI →

Recent Vulnerabilities (CWE-502)

26 vulnerabilities in our database match Deserialization of Untrusted Data.

CVE-2026-4860: CVE-2026-4860: Unsafe Deserialization in wvp-GB28181-pro

CVSS

CVE-2025-54136: Remote Code Execution in Cursor AI Code Editor via malicious MCP servers

CVSS 9.8

CVE-2025-68664: LangChain Serialization Injection Flaw — Secret extraction via unsafe deserializ

CVSS 9.8

CVE-2024-12703: Deserialization of Untrusted Data — Classic RCE pattern

CVSS 9.8

CVE-2025-27779: LangChain Deserialization of Untrusted Data

CVSS 9.8

CVE-2026-0500: SAP Wily Introscope Unsafe Deserialization RCE

CVSS 9.6

CVE-2025-49113: RoundCube Webmail Deserialization Remote Code Execution

CVSS 9.8

CVE-2025-61882: Oracle EBS Zero-Day — Pre-authentication RCE in BI Publisher

CVSS 9.8

CVE-2026-0677: Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite

CVSS 7.2

CVE-2026-29109: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (C

CVSS 0

View all 26 vulnerabilities →