The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The numpy.load() function allows pickle for object deserialization. This behaviour is turned off by default in version 1.16.3. Do not turn this on with allow_pickle=True when loading data from untrusted sources. Likelihood: MEDIUM Confidence: HIGH CWE: - CWE-502: Deserialization of Untrusted Data
OWASP: - A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures