CWE · MITRE source
CWE-502Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (7)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-10 | Information Input Validation | SI | Validates or rejects untrusted serialized data before deserialization occurs. |
SI-3 | Malicious Code Protection | SI | Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries. |
SI-7 | Software, Firmware, and Information Integrity | SI | Integrity verification of serialized information can detect tampering before deserialization occurs. |
CA-8 | Penetration Testing | CA | Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions. |
SA-11 | Developer Testing and Evaluation | SA | Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses. |
SC-44 | Detonation Chambers | SC | Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox. |
SR-4 | Provenance | SR | Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-44228 KEV | 9.7 | 10.0 | 0.9446 | 2021-12-10 |
CVE-2023-40044 KEV | 9.7 | 10.0 | 0.9444 | 2023-09-27 |
CVE-2023-46604 KEV | 9.7 | 10.0 | 0.9444 | 2023-10-27 |
CVE-2015-7450 KEV | 9.6 | 9.8 | 0.9327 | 2016-01-02 |
CVE-2017-3066 KEV | 9.6 | 9.8 | 0.9368 | 2017-04-27 |
CVE-2017-12149 KEV | 9.6 | 9.8 | 0.9429 | 2017-10-04 |
CVE-2017-1000353 KEV | 9.6 | 9.8 | 0.9448 | 2018-01-29 |
CVE-2018-2628 KEV | 9.6 | 9.8 | 0.9442 | 2018-04-19 |
CVE-2018-1000861 KEV | 9.6 | 9.8 | 0.9448 | 2018-12-10 |
CVE-2019-10068 KEV | 9.6 | 9.8 | 0.9381 | 2019-03-26 |
CVE-2019-18935 KEV | 9.6 | 9.8 | 0.9358 | 2019-12-11 |
CVE-2020-10189 KEV | 9.6 | 9.8 | 0.9425 | 2020-03-06 |
CVE-2020-7961 KEV | 9.6 | 9.8 | 0.9435 | 2020-03-20 |
CVE-2021-35464 KEV | 9.6 | 9.8 | 0.9439 | 2021-07-22 |
CVE-2021-42237 KEV | 9.6 | 9.8 | 0.9437 | 2021-11-05 |
CVE-2022-35405 KEV | 9.6 | 9.8 | 0.9421 | 2022-07-19 |
CVE-2022-47986 KEV | 9.6 | 9.8 | 0.9435 | 2023-02-17 |
CVE-2023-29300 KEV | 9.6 | 9.8 | 0.9368 | 2023-07-12 |
CVE-2023-38203 KEV | 9.6 | 9.8 | 0.9424 | 2023-07-20 |
CVE-2023-43208 KEV | 9.6 | 9.8 | 0.9442 | 2023-10-26 |
CVE-2025-24016 KEV | 9.6 | 9.9 | 0.9351 | 2025-02-10 |
CVE-2025-24813 KEV | 9.6 | 9.8 | 0.9414 | 2025-03-10 |
CVE-2015-4852 KEV | 9.5 | 9.8 | 0.9295 | 2015-11-18 |
CVE-2020-2555 KEV | 9.5 | 9.8 | 0.9314 | 2020-01-15 |
CVE-2022-21445 KEV | 9.5 | 9.8 | 0.9203 | 2022-04-19 |