> For the complete documentation index, see [llms.txt](https://appsecexplained.gitbook.io/appsecexplained/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization.md). # Insecure deserialization ## What is it? Insecure Deserialization attacks occur when an attacker is able to manipulate serialized (formatted for storage or transmission) objects in order to change the application's intended flow or to execute arbitrary code. These attacks exploit weaknesses in the way applications deserialize input data, typically by inserting malicious data that is interpreted as a valid object by the target system. Serialization is the process of turning an object into a format that can be transmitted or stored, and deserialization is the reverse process - turning serialized data back into an object. If an application doesn't properly validate or sanitize the serialized objects before deserializing them, it can lead to several types of attacks, such as: * Remote Code Execution (RCE) * Replay attacks * Injection attacks * Privilege escalation attacks Insecure deserialization can occur in any programming language that supports serialized objects, but some common languages where these vulnerabilities often occur include Java, PHP, Python, and .NET. For more details on specific insecure deserialization attacks and mitigations, see the relevant child pages. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/insecure-deserialization.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.