YAML Load Executes Arbitrary Code Compromising 470 Servers?!

YAML RCE APOCALYPSE! yaml.load() executes Python! Attacker uploads malicious config! Backdoor on all servers! 4.7M database exfiltrated! $47M breach! CISO ARRESTED!

#python #pythondisaster #yaml #remotecodeexecution #configloading #productionbug #pythonshorts #pythonwtf #deserialization #careerending #criminalcharges #pyyaml

https://www.youtube.com/watch?v=Lvvwf-SaDeE

💣 CLIXML #deserialization in #PowerShell isn't harmless… At #PSConfEU 2025, Alexander Andersson showed how it enables: ✔ Lateral movement ✔ Privilege escalation ✔ Guest-to-host VM breakouts 🎟️ Early bird 2026 tickets → psconf.eu #Security #CLIXML

- YouTube

Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed FileTransfer vulnerability - https://www.redpacketsecurity.com/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-filetransfer-vulnerability/

#threatintel
#CVE-2025-10035
#GoAnywhere MFT
#Deserialization vulnerability
#Storm-1175
#Medusa ransomware

Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed FileTransfer vulnerability - https://www.redpacketsecurity.com/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-filetransfer-vulnerability/

#threatintel
#CVE-2025-10035
#GoAnywhere MFT
#Deserialization vulnerability
#Storm-1175
#Medusa ransomware

High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478):

https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/

#exploit #exploitation #infosec #informationsecurity #cve #rce #hacking #deserialization

High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478):

https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/

#exploit #exploitation #infosec #informationsecurity #cve #rce #hacking #deserialization

Making Serialization Gadgets by Hand - .NET:

https://www.vulncheck.com/blog/making-dotnet-gadgets

#dotnet #infosec #deserialization #hacking #programming #exploit #exploitation

Making Serialization Gadgets by Hand - .NET:

https://www.vulncheck.com/blog/making-dotnet-gadgets

#dotnet #infosec #deserialization #hacking #programming #exploit #exploitation

CVE-2025-59287 WSUS Unauthenticated RCE

Vulnerability in update service enables unauthenticated attacker to send crafted encrypted cookie leading to unsafe deserialization and SYSTEM-level code execution

https://hawktrace.com/blog/CVE-2025-59287-UNAUTH

#Deserialization #PatchMgmt

Why nested deserialization is STILL harmful – Magento RCE (CVE-2025-54236):

https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/

#infosec #cybersecurity #deserialization #rce #exploit #exploitation #cve

Why nested deserialization is STILL harmful – Magento RCE (CVE-2025-54236):

https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/

#infosec #cybersecurity #deserialization #rce #exploit #exploitation #cve

I built a tiny/simple ECS library for a hobby game. I like defining "prefabs" in code, but I'm wracking my brain trying to understand how I can have code-defined prefabs, but also make a lightweight editor where I can place entities and edit attributes about that "instance" in the level, save it, and have that deserialized data be applied on top of the prefab during deserialization/gameplay.

Any hobbiests out there, I could use your insights.

#ecs #deserialization #leveleditors #helpwanted

🚨 CVE-2025-6507 (CRITICAL, CVSS 9.8): h2oai/h2o-3 vulnerable to remote code execution & file read via deserialization flaw in JDBC handling. Upgrade to 3.46.0.8+ ASAP! https://radar.offseq.com/threat/cve-2025-6507-cwe-502-deserialization-of-untrusted-fcb4a255 #OffSeq #CVE20256507 #AIsecurity #Deserialization

🔴 CRITICAL: CVE-2025-42980 in SAP NetWeaver EP-RUNTIME 7.50 exposes deserialization of untrusted data. Privileged users can trigger full system compromise. Apply patches & review privileges. https://radar.offseq.com/threat/cve-2025-42980-cwe-502-deserialization-of-untruste-7b67491f #OffSeq #SAP #CVE202542980 #Deserialization #Vuln

💣 CLIXML #deserialization in #PowerShell isn't harmless… At #PSConfEU 2025, Alexander Andersson showed how it enables: ✔ Lateral movement ✔ Privilege escalation ✔ Guest-to-host VM breakouts 🎟️ Early bird 2026 tickets → psconf.eu #Security #CLIXML

- YouTube

Using JsonPropertyName to map Json to Class C# Tip #42 - How to use the [JsonPropertyName] attribute in C# to map mismatched JSON fields (like "id") to class properties (like UniquePostId) during deserialization. #CSharp #JSON #Deserialization #HttpClient #JsonPropertyName #DataMapping #WebAPI #DotNet #Attributes

Seems a first step is almost done, adding #JSON support to my #poser lib. This could be the foundation for #JWT support in #swad. 😎

Need to do more thorough testing I guess, but at least the two example documents from #rfc8259 work fine ... the test tool does a full #deserialization / #serialization roundtrip (with specific internal representations of the data types supported by JSON).

edit: Look at the "Longitude" value of the second object in the second example 😏 I only noticed myself right now, but of course that's the desired behavior.

My first article for @mogwailabs_gmbh just released. Thanks to @h0ng10 for making it happen. 🥳

https://mogwailabs.de/en/blog/2024/12/jndi-mind-tricks/

#jndi #java #deserialization

Note: before all of the script kiddies get their hopes up and think they can pwnxorize every Rails app, deserialization vulnerabilities in Ruby are actually quite rare these days due to Marshal.load almost never being used in the wild and YAML.load has been aliased to YAML.safe_load for some time now.
#rubysec #deserialization