Deserializing an object from untrusted input may result in security problems, such as denial-of-service or remote code execution.

Avoid deserializing objects from an untrusted source, and if not possible, make sure to use a safe deserialization framework.

In this example, text from an HTML text box is deserialized using a JavaScriptSerializer with a simple type resolver. Using a type resolver means that arbitrary code may be executed

To fix this specific vulnerability, we avoid using a type resolver. In other cases, it may be necessary to use a different deserialization framework.

Muñoz, Alvaro and Mirosh, Oleksandr: JSON Attacks.