Critiq Docs
Get started
security.deserialization

Protect deserialization trust boundaries

Deserializers should not consume untrusted payloads directly across a trust boundary.

#Metadata

Rule ID
security.unsafe-deserialization
Severity
high
Confidence
0.85
Languages
go, java, javascript, php, python, ruby, rust, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
crq-sec-028, deserialization, rules-catalog, security

#Why it matters

Deserializing untrusted payloads can let attacker-controlled data reshape parser state, object graphs, or downstream runtime behavior.

#Remediation

Deserialize only from trusted producers, or validate and constrain the payload shape before crossing the deserialization boundary.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/shared/security.unsafe-deserialization.rule.yaml.

Back to registryOpen rule in repository