no-unsafe-deserialization
Detects unsafe deserialization of untrusted data
Keywords: unsafe deserialization, CWE-502, RCE, code execution, YAML, pickle, security
CWE: CWE-693
OWASP Mobile: OWASP Mobile Top 10
Detects unsafe deserialization of untrusted data. This rule is part of eslint-plugin-secure-coding.
πΌ This rule is set to error in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-502 (Unsafe Deserialization) |
| Severity | Critical (CVSS 9.8) |
| Auto-Fix | π‘ Suggestions available |
| Category | Security |
Value & investment case
Why this rule pays for itself. Framework:
cicd-impact/philosophy.md.
| Dimension | Value |
|---|---|
| CWE | CWE-502 β Deserialization of Untrusted Data (CVSS 9.8 β Critical) |
| Feedback-loop tier | Editor / pre-commit (sub-second) β cheapest layer per the feedback-loop hierarchy |
| Defensive-layer leverage | ~10Γ cheaper than unit-test Β· ~1,000Γ cheaper than production rollback Β· 10,000+Γ cheaper than disclosure β RCE-class vulnerability sits at the highest tier of the cost-ratio table (cost-ratio anchors) |
| Niche relevance | Critical: fintech, cybersecurity, infra/devtools (downstream RCE blast radius) Β· High: B2B SaaS, healthtech Β· Medium: B2C, marketplaces |
| Investor-frame impact | Insecure deserialization β Remote Code Execution (CVSS 9.8). One incident = full system compromise β mandatory disclosure β audit cycle restart β customer trust event. The single highest-leverage rule by counterfactual-value math: the catch costs ~$0; the unprevented bug costs the company. |
Read also: philosophy.md Β§investor-frame Β· niche-presets.json Β· analyzer-evaluation-framework.md
Vulnerability and Risk
Vulnerability: Unsafe deserialization happens when an application accepts serialized objects from untrusted sources and deserializes them without validation.
Risk: Serialized data can contain malicious payloads that, upon deserialization, execute arbitrary code (Remote Code Execution - RCE), modify application logic, or cause Denial of Service (DoS). This is often considered one of the most critical security risks.
Rule Details
Unsafe deserialization occurs when untrusted data is deserialized in a way that allows attackers to execute arbitrary code or manipulate application logic. This includes:
- Using
eval()orFunction()on untrusted data - YAML parsers that execute code
- JSON with prototype pollution
- Insecure serialization libraries
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| π» RCE | Full system compromise | Use safe deserializers |
| π Object Manipulation | Logic bypass | Validate before deserializing |
| π Auth Bypass | Unauthorized access | Use JSON.parse() for JSON data |
Examples
β Incorrect
const func = new Function(req.body.input);β Correct
// Use JSON.parse() for JSON data
const data = JSON.parse(userInput);
// YAML with safeLoad
import yaml from 'js-yaml';
const config = yaml.safeLoad(userYaml);
// Or with explicit safe schema
const config = yaml.load(userYaml, { schema: yaml.SAFE_SCHEMA });
// Validate before deserialization
if (isValidJson(userInput)) {
const data = JSON.parse(userInput);
}
// Use safe serialization libraries
import { safeDeserialize } from 'safe-serialize';
const obj = safeDeserialize(userInput);Configuration
{
rules: {
'secure-coding/no-unsafe-deserialization': ['error', {
dangerousFunctions: ['eval', 'Function', 'serialize.unserialize'],
safeLibraries: ['safe-serialize', 'json5'],
validationFunctions: ['isValidJson', 'validateInput']
}]
}
}Options
| Option | Type | Default | Description |
|---|---|---|---|
dangerousFunctions | string[] | ['eval', 'Function', 'unserialize'] | Dangerous deserialization functions |
safeLibraries | string[] | ['safe-serialize'] | Safe deserialization libraries |
validationFunctions | string[] | ['isValidJson', 'validateInput'] | Input validation functions |
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
π CWE-502 OWASP:A08 CVSS:9.8 | Deserialization of Untrusted Data detected | CRITICAL
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A08_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-502 OWASP:A08 CVSS:9.8 |
| Issue Description | Specific vulnerability | Deserialization of Untrusted Data detected |
| Severity & Compliance | Impact assessment | CRITICAL |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// β NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// β NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// β NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
- OWASP Deserialization - Testing guide
- CWE-502 - Official CWE entry
- js-yaml Security - YAML security
Related Rules
detect-eval-with-expression- eval() injectiondetect-object-injection- Prototype pollution