What is insecure deserialization?

Insecure deserialization occurs when an application deserializes (reconstructs objects from) untrusted data without proper validation, allowing attackers to manipulate the data to achieve remote code execution (RCE), authentication bypass, or privilege escalation. When an application deserializes attacker-controlled data, the attacker can craft a malicious serialized object that executes arbitrary code during deserialization (via "gadget chains" — sequences of legitimate classes that, chained together, produce dangerous behavior). Famous example: the Apache Commons Collections gadget chain exploited in Java applications via serialized Java objects in session cookies, RMI, JMX. Prevention: (1) Don't deserialize untrusted data if possible. (2) Use formats like JSON/XML with explicit parsing instead of native serialization. (3) Integrity check serialized data (sign with HMAC). (4) Implement deserialization filters (Java 9+ has a mechanism). (5) Run deserialization in sandboxed, low-privilege environments.