Last updated: May 1, 2026
Insecure deserialization is the vulnerability class that turns “your application accepts a serialized object from a user” into “remote code execution.” Java, .NET, PHP, Python, Ruby — every language with serialization has had a disclosed deserialization RCE chain. This module covers the mechanism, the major exploit chains, detection, and defenses.
What deserialization is — and why it’s dangerous
Serialization converts an in-memory object graph to a byte stream for storage or transmission. Deserialization reconstructs the object graph from the byte stream. The danger: deserializers often invoke constructors, magic methods, or property setters as part of reconstruction. Attacker controls the bytes → attacker controls what code runs during reconstruction.
The classic example: Java’s ObjectInputStream.readObject() will instantiate any serializable class on the classpath, calling its readObject() method. If a class on the classpath has a readObject() that does dangerous things (or can be chained to a class that does), exploitation follows.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.