Rule Information
Tags
pythondeserializationpicklerceuntrusted-dataowasp-a08cwe-502remote-code-executioncriticalsecurityintra-procedural
CWE References
CVE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-DESER-001 --project .1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Frequently Asked Questions
Common questions about Unsafe Pickle Deserialization
Unsafe pickle deserialization: Untrusted data flows to pickle.loads() which can execute arbitrary code. Use json.loads() instead.
Use Code Pathfinder to scan your codebase: pathfinder scan --ruleset python/PYTHON-DESER-001 --project .
This vulnerability is rated as CRITICAL severity.
Yes! Code Pathfinder allows you to customize rules. Modify detection patterns, adjust severity levels, add custom sanitizers, and configure the rule to fit your organization's security policies.
New feature
Get these findings posted directly on your GitHub pull requests
The Unsafe Pickle Deserialization rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.