Interlace ESLint
ESLint Interlace
Secure CodingRules

no-unsafe-deserialization

Detects unsafe deserialization of untrusted data. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding

Keywords: unsafe deserialization, CWE-502, RCE, code execution, YAML, pickle, security

Detects unsafe deserialization of untrusted data. This rule is part of eslint-plugin-secure-coding.

💼 This rule is set to error in the recommended config.

Quick Summary

AspectDetails
CWE ReferenceCWE-502 (Unsafe Deserialization)
SeverityCritical (CVSS 9.8)
Auto-Fix💡 Suggestions available
CategoryObject & Prototype

Vulnerability and Risk

Vulnerability: Unsafe deserialization happens when an application accepts serialized objects from untrusted sources and deserializes them without validation.

Risk: Serialized data can contain malicious payloads that, upon deserialization, execute arbitrary code (Remote Code Execution - RCE), modify application logic, or cause Denial of Service (DoS). This is often considered one of the most critical security risks.

Rule Details

Unsafe deserialization occurs when untrusted data is deserialized in a way that allows attackers to execute arbitrary code or manipulate application logic. This includes:

  • Using eval() or Function() on untrusted data
  • YAML parsers that execute code
  • JSON with prototype pollution
  • Insecure serialization libraries

Why This Matters

IssueImpactSolution
💻 RCEFull system compromiseUse safe deserializers
🎭 Object ManipulationLogic bypassValidate before deserializing
🔓 Auth BypassUnauthorized accessUse JSON.parse() for JSON data

Examples

❌ Incorrect

// eval() for deserialization
const data = eval('(' + userInput + ')');

// Function constructor with user input
const fn = new Function('return ' + userInput);
const data = fn();

// YAML.load() without safe mode
import yaml from 'js-yaml';
const config = yaml.load(userYaml); // Can execute code!

// Unsafe serialization libraries
const obj = serialize.unserialize(userInput);

✅ Correct

// Use JSON.parse() for JSON data
const data = JSON.parse(userInput);

// YAML with safeLoad
import yaml from 'js-yaml';
const config = yaml.safeLoad(userYaml);
// Or with explicit safe schema
const config = yaml.load(userYaml, { schema: yaml.SAFE_SCHEMA });

// Validate before deserialization
if (isValidJson(userInput)) {
  const data = JSON.parse(userInput);
}

// Use safe serialization libraries
import { safeDeserialize } from 'safe-serialize';
const obj = safeDeserialize(userInput);

Configuration

{
  rules: {
    'secure-coding/no-unsafe-deserialization': ['error', {
      dangerousFunctions: ['eval', 'Function', 'serialize.unserialize'],
      safeLibraries: ['safe-serialize', 'json5'],
      validationFunctions: ['isValidJson', 'validateInput']
    }]
  }
}

Options

OptionTypeDefaultDescription
dangerousFunctionsstring[]['eval', 'Function', 'unserialize']Dangerous deserialization functions
safeLibrariesstring[]['safe-serialize']Safe deserialization libraries
validationFunctionsstring[]['isValidJson', 'validateInput']Input validation functions

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-502 OWASP:A08 CVSS:9.8 | Deserialization of Untrusted Data detected | CRITICAL
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A08_2021/

Message Components

ComponentPurposeExample
Risk StandardsSecurity benchmarksCWE-502 OWASP:A08 CVSS:9.8
Issue DescriptionSpecific vulnerabilityDeserialization of Untrusted Data detected
Severity & ComplianceImpact assessmentCRITICAL
Fix InstructionActionable remediationFollow the remediation steps below
Technical TruthOfficial referenceOWASP Top 10

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Values from Variables

Why: Values stored in variables are not traced.

// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);

Mitigation: Validate all user inputs.

Wrapper Functions

Why: Custom wrappers not recognized.

// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internally

Mitigation: Apply rule to wrapper implementations.

Dynamic Invocation

Why: Dynamic calls not analyzed.

// ❌ NOT DETECTED - Dynamic
obj[method](userInput);

Mitigation: Avoid dynamic method invocation.

Further Reading

no-unlimited-resource-allocation

Detects unlimited resource allocation that could cause DoS. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-sec

no-unsafe-dynamic-require

Disallows dynamic `require()` calls with non-literal arguments that could lead to security vulnerabilities. This rule is part of [`eslint-plugin-secure-coding`]

On this page

Quick SummaryVulnerability and RiskRule DetailsWhy This MattersExamples❌ Incorrect✅ CorrectConfigurationOptionsError Message FormatMessage ComponentsKnown False NegativesValues from VariablesWrapper FunctionsDynamic InvocationFurther ReadingRelated Rules