logo

Serializable Data Element Containing non-Serializable Item Elements

Incomplete Base
Structure: Simple
Description

This weakness occurs when a class or data structure is marked as serializable, but it contains one or more member elements that cannot be serialized. This mismatch prevents the entire object from being properly saved or transmitted.

Extended Description

This issue primarily causes runtime failures, such as `SerializationException` in .NET or `NotSerializableException` in Java, which can crash your application or corrupt data during critical operations like saving state, caching, or remote communication. If an attacker can trigger this code path, these reliability flaws can be exploited to cause denial-of-service, bypass security mechanisms, or lead to unexpected system behavior. To prevent this, ensure all member fields within a serializable class are themselves serializable. Common culprits include file handles, thread objects, database connections, or custom classes missing the serialization marker. Use the `transient` keyword in Java or `[NonSerialized]` attribute in .NET to explicitly exclude non-serializable members if they are not required for the object's stored state.
Common Consequences 1
Scope: Other

Impact: Reduce Reliability
References 1
Automated Source Code Reliability Measure (ASCRM)
Object Management Group (OMG)
01-2016
http://www.omg.org/spec/ASCRM/1.0/
ID: REF-961
Related Weaknesses
ChildOf: Insufficient Adherence to Expected Conventions (CWE-1076)
Taxonomy Mapping
  • OMG ASCRM