Deserializing an object from untrusted input may result in security problems, such as denial of service or remote code execution.

Avoid deserializing objects from an untrusted source, and if not possible, make sure to use a safe deserialization framework.

In this example, text from an HTML text box is deserialized using a JavaScriptSerializer with a simple type resolver. Using a type resolver means that arbitrary code may be executed.

To fix this specific vulnerability, we avoid using a type resolver. In other cases, it may be necessary to use a different deserialization framework.

In the following example potentially untrusted stream and type is deserialized using a DataContractJsonSerializer which is known to be vulnerable with user supplied types.

To fix this specific vulnerability, we are using hardcoded Plain Old CLR Object (POCO) type. In other cases, it may be necessary to use a different deserialization framework.

Muñoz, Alvaro and Mirosh, Oleksandr: JSON Attacks.