Python Loads Insecure Deserialization
Description
Detects insecure deserialization vulnerabilities when using Python's pickle.loads() function with untrusted input. The pickle module is inherently unsafe for deserializing untrusted data as it can execute arbitrary code during deserialization, potentially leading to remote code execution attacks.
Detection Strategy
• Check if the 'pickle' module is imported in the Python source code
• Look for calls to functions ending with 'loads' (targeting pickle.loads)
• Examine if the first argument to loads() contains or is derived from user-controlled input
• Verify the input argument is not properly sanitized before being passed to loads()
• Report a vulnerability if unsafe user input reaches pickle.loads() without proper validation
Vulnerable code example
import pickle
from flask import Flask, request
app = Flask(__name__)
@app.post("/api/data")
def process_data():
raw_data = request.get_data()...✅ Secure code example
import pickle
from flask import Flask, request, jsonify
app = Flask(__name__)
# Define whitelist of allowed pickle data
SAFE_PICKLES = {
pickle.dumps({}),...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.