Elixir Untrusted Data Deserialization
Description
This vulnerability detector identifies unsafe deserialization of untrusted data in Elixir applications. When user-controlled input is deserialized without proper validation or safe options, it can lead to remote code execution, data manipulation, or denial of service attacks.
Detection Strategy
• Identifies calls to known Elixir deserialization functions (such as :erlang.binary_to_term, Erlang.term_to_binary, or similar serialization sinks)
• Checks if the data being deserialized originates from user input sources (HTTP parameters, form data, external APIs, etc.)
• Verifies that safe deserialization options are not configured (missing [:safe] option or equivalent safety mechanisms)
• For piped function calls, analyzes the left-hand side of the pipe as the payload source
• For regular function calls, examines the first argument as payload and second argument as options
• Reports vulnerability when untrusted data flows into deserialization functions without proper safety controls
Vulnerable code example
defmodule VulnerableApp do
import Plug.Conn
def handle_request(conn) do
payload = conn.params["data"]
term = :erlang.binary_to_term(payload) # Deserializes untrusted input
...✅ Secure code example
defmodule VulnerableApp do
import Plug.Conn
def handle_request(conn) do
payload = conn.params["data"]
term = :erlang.binary_to_term(payload, [:safe]) # Use :safe option to prevent atom creation
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.