logo

Missing Serialization Control Element

Incomplete Base
Structure: Simple
Description

This weakness occurs when a class or data structure is marked as serializable but lacks the required control methods to properly handle the serialization and deserialization process.

Extended Description

When a class is declared serializable (like using `Serializable` in .NET or implementing `java.io.Serializable` in Java) but doesn't define the necessary serialization control methods, it can cause runtime exceptions and unpredictable behavior. This happens because the default serialization mechanism may be insufficient for your object's specific state or dependencies, leading to crashes or corrupted data when objects are saved and restored. If an attacker can trigger this flawed serialization path, these reliability issues can become security vulnerabilities. For example, an unhandled exception could crash a service, leading to denial of service, or improper deserialization might leave the application in an inconsistent, exploitable state. Always implement the proper control methods, such as `readObject` and `writeObject` in Java or `ISerializable` methods in .NET, to explicitly manage how your object's data is streamed.
Common Consequences 1
Scope: Other

Impact: Reduce Reliability
References 1
Automated Source Code Reliability Measure (ASCRM)
Object Management Group (OMG)
01-2016
http://www.omg.org/spec/ASCRM/1.0/
ID: REF-961
Related Weaknesses
ChildOf: Improper Adherence to Coding Standards (CWE-710)
Taxonomy Mapping
  • OMG ASCRM