What is Insecure Deserialization? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Insecure Deserialization[Back to Glossary](/glossary)Insecure Deserialization
========================

A vulnerability where untrusted data is used to reconstruct application objects, potentially leading to remote code execution.

vulnerabilityserializationcode execution

Insecure deserialization occurs when an application deserializes (reconstructs objects from serialized data) untrusted input without adequate validation. Attackers can manipulate serialized objects to alter application logic, escalate privileges, or achieve remote code execution through "gadget chains" — sequences of existing class methods that, when triggered during deserialization, perform malicious actions.

This vulnerability affects applications using native serialization in languages like Java (ObjectInputStream), PHP (unserialize), Python (pickle), Ruby (Marshal), and .NET (BinaryFormatter). It can also appear in applications that use insecure JSON deserialization with type information.

Exploitation typically requires knowledge of the application's class path and available libraries, but public gadget chain databases (like ysoserial for Java) make exploitation accessible. The impact ranges from denial of service to full remote code execution.

How APVISO tests for this: APVISO's pentester agent identifies serialized data in cookies, API parameters, and hidden form fields, then tests with known gadget chain payloads for the detected technology stack. It monitors for out-of-band callbacks to confirm exploitation.

Related Terms
-------------

[Remote Code Execution (RCE)](/glossary/rce)[OWASP Top 10](/glossary/owasp-top-10)

Test your applications for insecure deserialization vulnerabilities
-------------------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
