321 – Avoid deserializing untrusted data

Summary

The system must not deserialize untrusted data before applying the appropriate integrity checks.

Description

Serialization is the process of transforming an object into a stream of bytes to store or transmit it. This allows saving its state, so that it can be recovered later using deserialization. If an object comes from an untrusted source and is not properly validated before being deserialized, it can lead to deserialization attacks such as object injection.

Supported In

Essential: True

Advanced: True

References

• CAPEC-130. Excessive allocation
• CAPEC-153. Input data manipulation
• CAPEC-248. Command injection
• CAPEC-586. Object injection
• CWE-95. Improper neutralization of directives in dynamically evaluated code ("eval injection")
• CWE-502. Deserialization of untrusted data
• OWASP10-A3. Injection
• OWASP10-A8. Software and data integrity failures
• CERTJ-SER12-J. Prevent deserialization of untrusted data
• PADSS-5_2_1. Injection flaws, particularly SQL injection
• SANS25-15. Deserialization of untrusted data
• SANS25-18. Use of hard-coded credentials
• PDPO-S1_4. Security of personal data
• HITRUST-10_d. Message integrity
• FEDRAMP-CA-3. System interconnections
• FEDRAMP-SC-8. Transmission confidentiality and integrity
• IEC62443-IAC-1_13. Access via untrusted networks
• OWASPSCP-1. Input validation
• CWE25-502. Deserialization of untrusted data
• CWE25-798. Use of hard-coded credentials
• ASVS-1_5_2. Input and output architecture
• ASVS-1_14_5. Configuration architecture
• ASVS-5_5_1. Deserialization prevention
• ASVS-5_5_3. Deserialization prevention
• ASVS-5_5_4. Deserialization prevention
• CASA-1_5_2. Input and Output Architecture
• CASA-1_14_5. Configuration Architecture
• CASA-5_5_1. Deserialization Prevention
• OWASPLLM-LLM05:2025. Improper Output Handling

Weaknesses

• 454 – Improper output handling
• 096 – Insecure deserialization

Last updated

2025/06/17