VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 67 of 87
  • CVE-2025-60455Nov 18, 2025
    risk 0.00cvss epss 0.00

    Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.

  • CVE-2025-64512Nov 10, 2025
    risk 0.00cvss epss 0.00

    Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The…

  • CVE-2025-63675Oct 31, 2025
    risk 0.00cvss epss 0.00

    cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.

  • CVE-2025-54539Oct 16, 2025
    risk 0.00cvss epss 0.02

    A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveMQ NMS AMQP up to and including 2.3.0, when establishing connections to untrusted AMQP servers. Malicious servers could exploit…

  • CVE-2025-61622Oct 1, 2025
    risk 0.00cvss epss 0.41

    Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An…

  • CVE-2025-48459Sep 24, 2025
    risk 0.00cvss epss 0.00

    Deserialization of Untrusted Data vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 2.0.5. Users are recommended to upgrade to version 2.0.5, which fixes the issue.

  • CVE-2025-6544Sep 21, 2025
    risk 0.00cvss epss 0.01

    A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular…

  • CVE-2025-9906Sep 19, 2025
    risk 0.00cvss epss 0.00

    The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True. One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by…

  • CVE-2025-59713Sep 19, 2025
    risk 0.00cvss epss 0.00

    Snipe-IT before 8.1.18 allows unsafe deserialization.

  • CVE-2025-10492Sep 16, 2025
    risk 0.00cvss epss 0.01

    A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library

  • CVE-2025-59328Sep 15, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of…

  • CVE-2025-58757Sep 8, 2025
    risk 0.00cvss epss 0.01

    MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the `pickle_operations` function in `monai/data/utils.py` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them…

  • CVE-2025-58756Sep 8, 2025
    risk 0.00cvss epss 0.01

    MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in `model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)` in monai/bundle/scripts.py , `weights_only=True` is loaded securely.…

  • CVE-2025-58782Sep 8, 2025
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for…

  • CVE-2025-43960Aug 25, 2025
    risk 0.00cvss epss 0.01

    Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious…

  • CVE-2025-8747Aug 11, 2025
    risk 0.00cvss epss 0.00

    A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive.

  • CVE-2025-53606Aug 8, 2025
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue.

  • CVE-2025-32897Jun 28, 2025
    risk 0.00cvss epss 0.02

    Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0…

  • CVE-2025-27819Jun 10, 2025
    risk 0.00cvss epss 0.01

    In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability,…

  • CVE-2025-27818Jun 10, 2025
    risk 0.00cvss epss 0.01

    A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based…