Deserialization of Untrusted Data in the marshal Module

The Python marshal module provides a way to serialize and deserialize Python objects. However, it is important to be aware that malicious data can be used to attack applications that use the marshal module. For example, a malicious data could be used to cause the decoder to execute arbitrary code.

Example

import marshal


data = {'name': 'John Doe', 'age': 30}

with open('data.dat', 'wb') as f:
    marshal.dump(data, f)

with open('data.dat', 'rb') as f:
    loaded_data = marshal.load(f)

Remediation

To avoid this vulnerability, it is important to only deserialize data from trusted sources. If you are deserializing data from an untrusted source, you should first sanitize the data to remove any potential malicious code.

See also

• marshal — Internal Python object serialization
• CWE-502: Deserialization of Untrusted Data

New in version 0.1.0