[{"data":1,"prerenderedAt":232},["ShallowReactive",2],{"blog-vulnerabilities/insecure-deserialization":3},{"id":4,"title":5,"body":6,"category":211,"date":212,"dateModified":213,"description":214,"draft":215,"extension":216,"faq":217,"featured":215,"headerVariant":218,"image":217,"keywords":217,"meta":219,"navigation":220,"ogDescription":221,"ogTitle":217,"path":222,"readTime":223,"schemaOrg":224,"schemaType":225,"seo":226,"sitemap":227,"stem":228,"tags":229,"twitterCard":230,"__hash__":231},"blog/blog/vulnerabilities/insecure-deserialization.md","Insecure Deserialization Explained",{"type":7,"value":8,"toc":199},"minimark",[9,16,21,24,40,44,54,57,83,87,92,106,110,119,123,126,146,168,187],[10,11,12],"tldr",{},[13,14,15],"p",{},"Insecure deserialization occurs when applications deserialize untrusted data that can be manipulated to execute code or manipulate logic. This is primarily a concern in languages like Java, PHP, and Python that have native object serialization. Most JavaScript/TypeScript apps using JSON are not vulnerable to classic deserialization attacks, but you should still validate data structure and types.",[17,18,20],"h2",{"id":19},"what-is-insecure-deserialization","What Is Insecure Deserialization?",[13,22,23],{},"Serialization converts objects to a format that can be stored or transmitted. Deserialization converts that data back into objects. When applications deserialize data from untrusted sources, attackers can manipulate that data to:",[25,26,27,31,34,37],"ul",{},[28,29,30],"li",{},"Execute arbitrary code",[28,32,33],{},"Manipulate application logic",[28,35,36],{},"Bypass authentication",[28,38,39],{},"Access sensitive data",[17,41,43],{"id":42},"is-my-javascript-app-at-risk","Is My JavaScript App at Risk?",[45,46,47],"success-box",{},[13,48,49,53],{},[50,51,52],"strong",{},"Good news:"," JavaScript's JSON.parse() doesn't execute code during parsing. Most modern JavaScript apps that use JSON for data exchange aren't vulnerable to classic deserialization attacks.",[13,55,56],{},"However, you might be at risk if you:",[25,58,59,71,74,77],{},[28,60,61,62,66,67,70],{},"Use ",[63,64,65],"code",{},"eval()"," or ",[63,68,69],{},"new Function()"," with user data",[28,72,73],{},"Use libraries with custom object serialization",[28,75,76],{},"Trust serialized objects in cookies or tokens without validation",[28,78,79,80],{},"Have a Node.js backend using libraries like ",[63,81,82],{},"node-serialize",[17,84,86],{"id":85},"javascript-specific-risks","JavaScript-Specific Risks",[88,89,91],"h3",{"id":90},"dangerous-using-eval-with-user-data","Dangerous: Using eval() with User Data",[93,94,96],"code-block",{"label":95},"Never do this",[97,98,103],"pre",{"className":99,"code":101,"language":102},[100],"language-text","// EXTREMELY DANGEROUS\nconst userData = req.body.data;\nconst result = eval(userData);  // Remote code execution!\n\n// Also dangerous\nconst fn = new Function('return ' + userData);\nfn();\n","text",[63,104,101],{"__ignoreMap":105},"",[88,107,109],{"id":108},"safer-json-with-validation","Safer: JSON with Validation",[93,111,113],{"label":112},"Safe approach with validation",[97,114,117],{"className":115,"code":116,"language":102},[100],"import { z } from 'zod';\n\nconst UserSchema = z.object({\n  id: z.string().uuid(),\n  name: z.string().max(100),\n  email: z.string().email(),\n  role: z.enum(['user', 'admin'])\n});\n\n// Parse and validate in one step\nconst user = UserSchema.parse(JSON.parse(requestBody));\n// If validation fails, it throws an error\n",[63,118,116],{"__ignoreMap":105},[17,120,122],{"id":121},"where-it-matters-more","Where It Matters More",[13,124,125],{},"Insecure deserialization is more critical in:",[25,127,128,134,140],{},[28,129,130,133],{},[50,131,132],{},"Java applications:"," Java's ObjectInputStream can execute code during deserialization",[28,135,136,139],{},[50,137,138],{},"PHP applications:"," PHP's unserialize() has led to many RCE vulnerabilities",[28,141,142,145],{},[50,143,144],{},"Python applications:"," pickle module can execute arbitrary code",[147,148,149,156,162],"faq-section",{},[150,151,153],"faq-item",{"question":152},"Is JSON.parse() safe?",[13,154,155],{},"JSON.parse() is safe from code execution. It only creates data structures (objects, arrays, strings, numbers, booleans, null). It doesn't execute functions or create class instances.",[150,157,159],{"question":158},"What about JWT tokens?",[13,160,161],{},"JWT parsing itself is safe, but you must validate the signature. Never trust the payload of a JWT without verifying its signature with your secret key.",[150,163,165],{"question":164},"Should I still validate JSON data?",[13,166,167],{},"Yes! While JSON.parse() won't execute code, you should validate the structure and types of parsed data. This prevents logic bugs and ensures data integrity.",[169,170,171,177,182],"related-articles",{},[172,173],"related-card",{"description":174,"href":175,"title":176},"JavaScript-specific vulnerability","/blog/vulnerabilities/prototype-pollution","Prototype Pollution",[172,178],{"description":179,"href":180,"title":181},"Code execution attacks","/blog/vulnerabilities/command-injection","Command Injection",[172,183],{"description":184,"href":185,"title":186},"Input validation guide","/blog/how-to/validate-user-input","Validate User Input",[188,189,192,196],"cta-box",{"href":190,"label":191},"/","Start Free Scan",[17,193,195],{"id":194},"scan-for-security-issues","Scan for Security Issues",[13,197,198],{},"Our scanner checks for dangerous patterns in your code.",{"title":105,"searchDepth":200,"depth":200,"links":201},2,[202,203,204,209,210],{"id":19,"depth":200,"text":20},{"id":42,"depth":200,"text":43},{"id":85,"depth":200,"text":86,"children":205},[206,208],{"id":90,"depth":207,"text":91},3,{"id":108,"depth":207,"text":109},{"id":121,"depth":200,"text":122},{"id":194,"depth":200,"text":195},"vulnerabilities","2026-01-16","2026-02-02","Insecure deserialization lets attackers execute code by manipulating serialized data. Learn how this vulnerability works and why it's rare in modern JavaScript apps.",false,"md",null,"red",{},true,"Learn how insecure deserialization works and when your app might be at risk.","/blog/vulnerabilities/insecure-deserialization","6 min read","[object Object]","TechArticle",{"title":5,"description":214},{"loc":222},"blog/vulnerabilities/insecure-deserialization",[],"summary_large_image","0NPVm2Kq6RbKBYNBA1igtzUu-puZ--F_yvWkSFA0nXg",1775843926792]