logo

Serializable Class Containing Sensitive Data

Draft Variant
Structure: Simple
Description

This vulnerability occurs when a class containing sensitive information, such as credentials or personal data, is left serializable by default. Because the class does not explicitly prevent serialization, its internal data can be accessed and extracted by other parts of the application or external processes.

Extended Description

When a class implements Serializable without safeguards, it effectively becomes an open book. The sensitive fields within it cannot be truly hidden; any other class with serialization access can reconstruct the object and read its private data, bypassing intended access controls. This exposes critical information that should remain protected. To prevent this, developers should explicitly deny serialization for sensitive classes by marking them as 'transient' or overriding serialization methods. While SAST tools can detect this pattern, Plexicus uses AI to not only identify the flaw but also generate the specific code fix—such as adding a custom `readObject` method—saving significant manual remediation time across your codebase.
Common Consequences 1
Scope: Confidentiality

Impact: Read Application Data

an attacker can write out the class to a byte stream, then extract the important data from it.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 2
Phase: Implementation
In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
Phase: Implementation
Make sure to prevent serialization of your objects.
Demonstrative Examples 1
This code creates a new record for a medical patient:

Code Example:

Bad
Java
java
This object does not explicitly deny serialization, allowing an attacker to serialize an instance of this object and gain a patient's name and Social Security number even though those fields are private.
References 1
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
Likelihood of Exploit

High

Applicable Platforms
Languages:
Java : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Exposure of Resource to Wrong Sphere (CWE-668)
CanPrecede: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Taxonomy Mapping
  • CLASP
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • Software Fault Patterns