CWE · MITRE source
CWE-502Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 5 mapping(s) from 3 framework(s): ATT&CK 3 (mostly) · OWASP-Web 1 (full) · CAPEC 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A08:2025 Software or Data Integrity Failures.
NIST 800-53 r5 controls that address this weakness (7)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-10 | Information Input Validation | SI | Validates or rejects untrusted serialized data before deserialization occurs. |
SI-3 | Malicious Code Protection | SI | Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries. |
SI-7 | Software, Firmware, and Information Integrity | SI | Integrity verification of serialized information can detect tampering before deserialization occurs. |
CA-8 | Penetration Testing | CA | Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions. |
SA-11 | Developer Testing and Evaluation | SA | Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses. |
SC-44 | Detonation Chambers | SC | Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox. |
SR-4 | Provenance | SR | Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2015-4852 KEV | 10.0 | 9.8 | 0.9603 | 2015-11-18 |
CVE-2015-7450 KEV | 10.0 | 9.8 | 0.9766 | 2016-01-02 |
CVE-2017-3066 KEV | 10.0 | 9.8 | 0.9060 | 2017-04-27 |
CVE-2017-9805 KEV | 10.0 | 8.1 | 0.9946 | 2017-09-15 |
CVE-2017-12149 KEV | 10.0 | 9.8 | 0.9071 | 2017-10-04 |
CVE-2017-1000353 KEV | 10.0 | 9.8 | 0.9969 | 2018-01-29 |
CVE-2018-0147 KEV | 10.0 | 9.8 | 0.1855 | 2018-03-08 |
CVE-2018-2628 KEV | 10.0 | 9.8 | 0.9945 | 2018-04-19 |
CVE-2018-0824 KEV | 10.0 | 8.8 | 0.7347 | 2018-05-09 |
CVE-2018-4939 KEV | 10.0 | 9.8 | 0.6330 | 2018-05-19 |
CVE-2018-15133 KEV | 10.0 | 8.1 | 0.7681 | 2018-08-09 |
CVE-2018-1000861 KEV | 10.0 | 9.8 | 0.9833 | 2018-12-10 |
CVE-2019-6340 KEV | 10.0 | 8.1 | 0.9192 | 2019-02-21 |
CVE-2019-10068 KEV | 10.0 | 9.8 | 0.9603 | 2019-03-26 |
CVE-2019-9874 KEV | 10.0 | 9.8 | 0.8386 | 2019-05-31 |
CVE-2019-9875 KEV | 10.0 | 8.8 | 0.1415 | 2019-05-31 |
CVE-2019-0344 KEV | 10.0 | 9.8 | 0.0708 | 2019-08-14 |
CVE-2019-15271 KEV | 10.0 | 8.8 | 0.0598 | 2019-11-26 |
CVE-2019-18935 KEV | 10.0 | 9.8 | 0.9974 | 2019-12-11 |
CVE-2020-2555 KEV | 10.0 | 9.8 | 0.9712 | 2020-01-15 |
CVE-2020-0618 KEV | 10.0 | 8.8 | 0.9905 | 2020-02-11 |
CVE-2020-10189 KEV | 10.0 | 9.8 | 0.9994 | 2020-03-06 |
CVE-2020-7961 KEV | 10.0 | 9.8 | 0.9978 | 2020-03-20 |
CVE-2020-5741 KEV | 10.0 | 7.2 | 0.7294 | 2020-05-08 |
CVE-2020-17144 KEV | 10.0 | 8.4 | 0.3651 | 2020-12-10 |