CME-1302
Deserialization Allowlist (Safe Loading)
Description
Restricts deserialization to an explicit allowlist of permitted types, classes, or functions. Prevents attacker-controlled serialized data from instantiating arbitrary objects, invoking dangerous functions, or triggering unintended code paths. Applies to JSON schema validation, YAML safe_load, pickle restrictions, and custom deserialization frameworks.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | Only allowlisted types can be deserialized; arbitrary class instantiation blocked |
| Integrity (I) | H → L | Cannot invoke arbitrary functions or modify state via deserialized objects |
CWE Relationships
Verification
Verify deserialization uses safe loading or allowlist enforcement
$ grep -rn 'yaml.safe_load\|SafeLoader\|json.loads' <app_source>/
# Expected: Safe deserialization calls present (not yaml.load without SafeLoader)
# Expected: Safe deserialization calls present (not yaml.load without SafeLoader)
Platform: any
$ grep -rn 'yaml.load\|pickle.load\|marshal.load' <app_source>/ | grep -v safe_load
# Expected: No unsafe deserialization calls
# Expected: No unsafe deserialization calls
Platform: any