Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Airflow
- Attr
- Aws-lambda
- Bokeh
- Boto3
- Cassandra
- Click
- Correctness
- Couchbase
- Cryptography
- Distributed
- Django
- Ai
- Best practice
- Compatibility
- Correctness
- Deserialization
- Tainted-dill-django
- Tainted-json-django
- Tainted-jsonpickle-django
- Tainted-marshal-django
- Tainted-numpy-pickle-django
- Tainted-pandas-hdf-django
- Tainted-pandas-pickle-django
- Tainted-pickle-django
- Tainted-pyyaml-django
- Tainted-ruamel-django
- Tainted-shelve-django
- Tainted-torch-pickle-django
- Maintainability
- Performance
- Security
- Security
- Docker
- Elasticsearch
- Fastapi
- Flask
- Jinja2
- Jwt
- Lang
- Ldap3
- Mariadb
- Mysql
- Mysqlclient
- Neo4j
- Openai
- Peewee
- Pg8000
- Psycopg2
- Pycryptodome
- Pyjwt
- Pymongo
- Pymssql
- Pymysql
- Pyramid
- Redis
- Requests
- Sh
- Sqlalchemy
- Tormysql
- Urllib3
- Webrepl
- Wtforms
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Tainted pandas pickle django
Insecure deserialization (called pickling in python) is when user-controllable data is deserialized by an application. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code and may result in arbitrary code execution, OS command injection or DoS. Many deserialization-based attacks are completed before deserialization is finished. This means that the deserialization process itself can initiate an attack, even if the app’s own functionality does not directly interact with the malicious object. The pandas.read_pickle()
function uses pickle
for object deserialization and should not be used with untrusted data.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures