Insecure Deserialization

Insecure deserialization happens when an application accepts serialized objects from users or external systems without verifying integrity, type safety, or expected structure. Attackers may modify serialized data to bypass access controls, escalate privileges, manipulate workflows, or trigger remote code execution through vulnerable object chains. This vulnerability is high risk in enterprise systems because serialized data is often used in sessions, APIs, queues, caches, and distributed application components.