Skip to main content
Insecure deserialization (called pickling in python) is when user-controllable data is deserialized by an application. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code and may result in arbitrary code execution, OS command injection or DoS. Many deserialization-based attacks are completed before deserialization is finished. This means that the deserialization process itself can initiate an attack, even if the app’s own functionality does not directly interact with the malicious object. The pandas.read_pickle() function uses pickle for object deserialization and should not be used with untrusted data.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures