Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Airflow
- Attr
- Aws-lambda
- Bokeh
- Boto3
- Cassandra
- Click
- Correctness
- Couchbase
- Cryptography
- Distributed
- Django
- Docker
- Elasticsearch
- Fastapi
- Flask
- Ai
- Best practice
- Caching
- Code
- Correctness
- Db
- Debug
- Deserialization
- Tainted-dill-flask
- Tainted-json-flask
- Tainted-jsonpickle-flask
- Tainted-marshal-flask
- Tainted-numpy-pickle-flask
- Tainted-pandas-hdf-flask
- Tainted-pandas-pickle-flask
- Tainted-pickle-flask
- Tainted-pyyaml-flask
- Tainted-ruamel-flask
- Tainted-shelve-flask
- Tainted-torch-pickle-flask
- File
- Flask-hardcoded-database-password-uri
- Log
- Maintainability
- Net
- Os
- Regex
- Security
- Security
- Web
- Xml
- Jinja2
- Jwt
- Lang
- Ldap3
- Mariadb
- Mysql
- Mysqlclient
- Neo4j
- Openai
- Peewee
- Pg8000
- Psycopg2
- Pycryptodome
- Pyjwt
- Pymongo
- Pymssql
- Pymysql
- Pyramid
- Redis
- Requests
- Sh
- Sqlalchemy
- Tormysql
- Urllib3
- Webrepl
- Wtforms
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Tainted jsonpickle flask
The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The jsonpickle
module can execute arbitrary Python code. Do not load jsonpickles
from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures