CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
  • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
        • Airflow
        • Attr
        • Aws-lambda
        • Bokeh
        • Boto3
        • Cassandra
        • Click
        • Correctness
        • Couchbase
        • Cryptography
        • Distributed
        • Django
        • Docker
        • Elasticsearch
        • Fastapi
        • Flask
        • Jinja2
        • Jwt
        • Lang
        • Ldap3
        • Mariadb
        • Mysql
        • Mysqlclient
        • Neo4j
        • Openai
        • Peewee
        • Pg8000
        • Psycopg2
        • Pycryptodome
        • Pyjwt
        • Pymongo
        • Pymssql
        • Pymysql
        • Pyramid
          • Audit
          • Deserialization
            • Tainted-dill-pyramid
            • Tainted-json-pyramid
            • Tainted-jsonpickle-pyramid
            • Tainted-marshal-pyramid
              • Tainted marshal pyramid
            • Tainted-numpy-pickle-pyramid
            • Tainted-pandas-hdf-pyramid
            • Tainted-pandas-pickle-pyramid
            • Tainted-pickle-pyramid
            • Tainted-pyyaml-pyramid
            • Tainted-ruamel-pyramid
            • Tainted-shelve-pyramid
            • Tainted-torch-pickle-pyramid
          • Security
        • Redis
        • Requests
        • Sh
        • Sqlalchemy
        • Tormysql
        • Urllib3
        • Webrepl
        • Wtforms
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Tainted-marshal-pyramid

    Tainted marshal pyramid

    The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: Deserialization prevention The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-502: Deserialization of Untrusted Data
    OWASP:
    - A08:2017 - Insecure Deserialization
    - A08:2021 - Software and Data Integrity Failures

    Tainted jsonpickle pyramidTainted numpy pickle pyramid
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.