Note that common standard library types can be vulnerable to gadget-chain attacks

2026-05-14 11:19:27 +02:00 · 2026-05-08 14:18:54 +01:00
parent 93e05db394
commit a5ef036465
5 changed files with 15 additions and 5 deletions
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -25,7 +25,9 @@ only expected, predefined types are generally not tracked by this query. For
 example, Apache Avro's deserialization methods follow a schema and are
 therefore generally safe with respect to arbitrary-class-instantiation and
 gadget-chain attacks when the schema is trusted and does not permit
-user-controlled type resolution.
+user-controlled type resolution. However, care must be taken to ensure the schema
+strictly limits the allowed types. Permitting common standard library classes
+can still leave the application vulnerable to gadget-chain attacks.
 </p>
 </overview>