# Unsafe Deserialization

- ID: javascript-unsafe-deserialization
- Severity: CRITICAL
- CWE: Deserialization of Untrusted Data (CWE-502)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nodejs, nextjs

## Description

Detects user input flowing to unsafe deserialization functions like node-serialize or yaml.load().

## Detection Message

Dangerous deserialization detected: {sink}
Input from {source} is deserialized without validation.
This can lead to Remote Code Execution (RCE) if an attacker provides malicious serialized data.

## Remediation

Use JSON.parse() instead of node-serialize, or use yaml.SAFE_SCHEMA for YAML parsing.

```javascript
const data = JSON.parse(userInput);
// Or for YAML:
const config = yaml.load(input, { schema: yaml.SAFE_SCHEMA });
```

Learn more: https://shoulder.dev/learn/javascript/cwe-502/unsafe-deserialization

## Documentation

[object Object]

## Related Rules

- **Insecure Deserialization** [HIGH]: 
- **LLM Training Data Poisoning** [HIGH]: 
- **LLM Training Data Poisoning** [HIGH]: 
- **LLM Training Data Poisoning** [HIGH]: 
- **Unsafe Deserialization** [CRITICAL]: