#deserialization — Public Fediverse posts

🚀 Wow! A 5-minute epic on how rearranging some #structs 🏗️ in #Rust saves a whopping 475 MB of #memory. Who knew struct feng shui could revolutionize #JSON deserialization? 🙄 Next up, "How I Saved The World by Organizing My Sock Drawer." 🧦
https://dystroy.org/blog/box-to-save-memory/ #Optimization #Deserialization #HackerNews #TechHumor #HackerNews #ngated

🚀 Wow! A 5-minute epic on how rearranging some #structs 🏗️ in #Rust saves a whopping 475 MB of #memory. Who knew struct feng shui could revolutionize #JSON deserialization? 🙄 Next up, "How I Saved The World by Organizing My Sock Drawer." 🧦
https://dystroy.org/blog/box-to-save-memory/ #Optimization #Deserialization #HackerNews #TechHumor #HackerNews #ngated

🚀 Wow! A 5-minute epic on how rearranging some #structs 🏗️ in #Rust saves a whopping 475 MB of #memory. Who knew struct feng shui could revolutionize #JSON deserialization? 🙄 Next up, "How I Saved The World by Organizing My Sock Drawer." 🧦
https://dystroy.org/blog/box-to-save-memory/ #Optimization #Deserialization #HackerNews #TechHumor #HackerNews #ngated

🚀 Wow! A 5-minute epic on how rearranging some #structs 🏗️ in #Rust saves a whopping 475 MB of #memory. Who knew struct feng shui could revolutionize #JSON deserialization? 🙄 Next up, "How I Saved The World by Organizing My Sock Drawer." 🧦
https://dystroy.org/blog/box-to-save-memory/ #Optimization #Deserialization #HackerNews #TechHumor #HackerNews #ngated

💣 CLIXML #deserialization in #PowerShell isn't harmless… At #PSConfEU 2025, Alexander Andersson showed how it enables: ✔ Lateral movement ✔ Privilege escalation ✔ Guest-to-host VM breakouts 🎟️ Early bird 2026 tickets → psconf.eu #Security #CLIXML

- YouTube

High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478):

https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/

#exploit #exploitation #infosec #informationsecurity #cve #rce #hacking #deserialization

Making Serialization Gadgets by Hand - .NET:

https://www.vulncheck.com/blog/making-dotnet-gadgets

#dotnet #infosec #deserialization #hacking #programming #exploit #exploitation

Why nested deserialization is STILL harmful – Magento RCE (CVE-2025-54236):

https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/

#infosec #cybersecurity #deserialization #rce #exploit #exploitation #cve

💣 CLIXML #deserialization in #PowerShell isn't harmless… At #PSConfEU 2025, Alexander Andersson showed how it enables: ✔ Lateral movement ✔ Privilege escalation ✔ Guest-to-host VM breakouts 🎟️ Early bird 2026 tickets → psconf.eu #Security #CLIXML

- YouTube

Using JsonPropertyName to map Json to Class C# Tip #42 - How to use the [JsonPropertyName] attribute in C# to map mismatched JSON fields (like "id") to class properties (like UniquePostId) during deserialization. #CSharp #JSON #Deserialization #HttpClient #JsonPropertyName #DataMapping #WebAPI #DotNet #Attributes

Using JsonPropertyName to map Json to Class C# Tip #42 - How to use the [JsonPropertyName] attribute in C# to map mismatched JSON fields (like "id") to class properties (like UniquePostId) during deserialization. #CSharp #JSON #Deserialization #HttpClient #JsonPropertyName #DataMapping #WebAPI #DotNet #Attributes

Using JsonPropertyName to map Json to Class C# Tip #42 - How to use the [JsonPropertyName] attribute in C# to map mismatched JSON fields (like "id") to class properties (like UniquePostId) during deserialization. #CSharp #JSON #Deserialization #HttpClient #JsonPropertyName #DataMapping #WebAPI #DotNet #Attributes

My first article for @mogwailabs_gmbh just released. Thanks to @h0ng10 for making it happen. 🥳

https://mogwailabs.de/en/blog/2024/12/jndi-mind-tricks/

#jndi #java #deserialization

This Week in Security: Hardware Attacks, IoT Security, and More https://hackaday.com/2024/11/15/this-week-in-security-hardware-attacks-iot-security-and-more/ #ThisWeekinSecurity #HackadayColumns #Deserialization #SecurityHacks #glitching #hardware #News

This Week in Security: Hardware Attacks, IoT Security, and More - This week starts off with examinations of a couple hardware attacks that you might... - https://hackaday.com/2024/11/15/this-week-in-security-hardware-attacks-iot-security-and-more/ #thisweekinsecurity #hackadaycolumns #deserialization #securityhacks #glitching #hardware #news

🚀 Nächste Woche ist #BaselOne24 🎉

Am 16. und 17. Oktober 2024 erwarten Euch viele spannende Workshops und Vorträge von bekannten Speaker:innen und Newcomer:innen. Dabei bringen Sie Euch auf den neuesten Stand in Sachen #KünstlicheIntelligenz, #Deserialization, #Metriken, #TeamBuilding, #Java, #Kafka, #Testing, und vieles mehr.

👉🏻 Hier geht's zum Programm: https://lnkd.in/egfakuP5

🐸 https://lnkd.in/ggjmzerN

#communityrocks #BaselOne #TechEvent #CleanCode #AI #Kafka #Java

🚀 Nächste Woche ist #BaselOne24 🎉

Am 16. und 17. Oktober 2024 erwarten Euch viele spannende Workshops und Vorträge von bekannten Speaker:innen und Newcomer:innen. Dabei bringen Sie Euch auf den neuesten Stand in Sachen #KünstlicheIntelligenz, #Deserialization, #Metriken, #TeamBuilding, #Java, #Kafka, #Testing, und vieles mehr.

👉🏻 Hier geht's zum Programm: https://lnkd.in/egfakuP5

🐸 https://lnkd.in/ggjmzerN

#communityrocks #BaselOne #TechEvent #CleanCode #AI #Kafka #Java

🚀 Nächste Woche ist #BaselOne24 🎉

Am 16. und 17. Oktober 2024 erwarten Euch viele spannende Workshops und Vorträge von bekannten Speaker:innen und Newcomer:innen. Dabei bringen Sie Euch auf den neuesten Stand in Sachen #KünstlicheIntelligenz, #Deserialization, #Metriken, #TeamBuilding, #Java, #Kafka, #Testing, und vieles mehr.

👉🏻 Hier geht's zum Programm: https://lnkd.in/egfakuP5

🐸 https://lnkd.in/ggjmzerN

#communityrocks #BaselOne #TechEvent #CleanCode #AI #Kafka #Java

🚀 Nächste Woche ist #BaselOne24 🎉

Am 16. und 17. Oktober 2024 erwarten Euch viele spannende Workshops und Vorträge von bekannten Speaker:innen und Newcomer:innen. Dabei bringen Sie Euch auf den neuesten Stand in Sachen #KünstlicheIntelligenz, #Deserialization, #Metriken, #TeamBuilding, #Java, #Kafka, #Testing, und vieles mehr.

👉🏻 Hier geht's zum Programm: https://lnkd.in/egfakuP5

🐸 https://lnkd.in/ggjmzerN

#communityrocks #BaselOne #TechEvent #CleanCode #AI #Kafka #Java

🚀 Nächste Woche ist #BaselOne24 🎉

Am 16. und 17. Oktober 2024 erwarten Euch viele spannende Workshops und Vorträge von bekannten Speaker:innen und Newcomer:innen. Dabei bringen Sie Euch auf den neuesten Stand in Sachen #KünstlicheIntelligenz, #Deserialization, #Metriken, #TeamBuilding, #Java, #Kafka, #Testing, und vieles mehr.

👉🏻 Hier geht's zum Programm: https://lnkd.in/egfakuP5

🐸 https://lnkd.in/ggjmzerN

#communityrocks #BaselOne #TechEvent #CleanCode #AI #Kafka #Java

Wednesday Links - Edition 2024-10-02
https://dev.to/0xkkocel/wednesday-links-edition-2024-10-02-1hcm
#java #jvm #threads #deserialization #spring

⏳Wer hat an der Uhr gedreht... Nur noch 3 Wochen bis zur #BaselOne24... 😊

🔊 Am 16. und 17. Oktober 2024 erwarten Euch Gerrit Grunwald, Grace Jansen, Falk Sippach, Nadine Broghammer, Simon Martinelli und Patrick Baumgartner. Dabei bringen Sie Euch auf den neuesten Stand in Sachen #KünstlicheIntelligenz, #Deserialization, #Metriken, #TeamBuilding, hashtag#Java, #Kafka, #Testing, und vieles mehr.

🐸 unter https://lnkd.in/ggjmzerN.

#Communityrocks #SoftwareDevelopment #TechConference #AI

⏳Wer hat an der Uhr gedreht... Nur noch 3 Wochen bis zur #BaselOne24... 😊

🔊 Am 16. und 17. Oktober 2024 erwarten Euch Gerrit Grunwald, Grace Jansen, Falk Sippach, Nadine Broghammer, Simon Martinelli und Patrick Baumgartner. Dabei bringen Sie Euch auf den neuesten Stand in Sachen #KünstlicheIntelligenz, #Deserialization, #Metriken, #TeamBuilding, hashtag#Java, #Kafka, #Testing, und vieles mehr.

🐸 unter https://lnkd.in/ggjmzerN.

#Communityrocks #SoftwareDevelopment #TechConference #AI

⏳Wer hat an der Uhr gedreht... Nur noch 3 Wochen bis zur #BaselOne24... 😊

🔊 Am 16. und 17. Oktober 2024 erwarten Euch Gerrit Grunwald, Grace Jansen, Falk Sippach, Nadine Broghammer, Simon Martinelli und Patrick Baumgartner. Dabei bringen Sie Euch auf den neuesten Stand in Sachen #KünstlicheIntelligenz, #Deserialization, #Metriken, #TeamBuilding, hashtag#Java, #Kafka, #Testing, und vieles mehr.

🐸 unter https://lnkd.in/ggjmzerN.

#Communityrocks #SoftwareDevelopment #TechConference #AI

⏳Wer hat an der Uhr gedreht... Nur noch 3 Wochen bis zur #BaselOne24... 😊

🔊 Am 16. und 17. Oktober 2024 erwarten Euch Gerrit Grunwald, Grace Jansen, Falk Sippach, Nadine Broghammer, Simon Martinelli und Patrick Baumgartner. Dabei bringen Sie Euch auf den neuesten Stand in Sachen #KünstlicheIntelligenz, #Deserialization, #Metriken, #TeamBuilding, hashtag#Java, #Kafka, #Testing, und vieles mehr.

🐸 unter https://lnkd.in/ggjmzerN.

#Communityrocks #SoftwareDevelopment #TechConference #AI

The sorry state of Java deserialization

#deserialization #java

https://www.marginalia.nu/log/a_110_java_io/?utm_medium=erik.in&utm_source=mastodon

#Elastic: Critical #Kibana Vulnerabilities (CVE-2024-37288, CVE-2024-37285) Expose Systems to Arbitrary Code Execution potentially leading to complete system compromise. Both CVEs are related to YAML #Deserialization. Patch now - Upgrade to Kibana v8.15.1:
👇
https://securityonline.info/critical-kibana-flaws-cve-2024-37288-cve-2024-37285-expose-systems-to-arbitrary-code-execution/

https://securityonline.info/critical-kibana-flaws-cve-2024-37288-cve-2024-37285-expose-systems-to-arbitrary-code-execution/

Critical Kibana Vulnerability - Arbitrary Code Execution via YAML Deserialization

Date: September 5, 2024

CVE: CVE-2024-37285

Vulnerability Type: Deserialization of Untrusted Data

CWE: [[CWE-502]]

Sources: Elastic Security Advisory

Synopsis

CVE-2024-37285 impacts Kibana versions 8.10.0 to 8.15.0, where a deserialization flaw allows remote code execution if an attacker injects malicious YAML payloads. This vulnerability requires that an attacker has elevated Elasticsearch and Kibana privileges.

Issue Summary

The vulnerability arises from improper YAML deserialization within Kibana. A malicious actor can craft a YAML payload and execute arbitrary code, provided they have specific Elasticsearch index and Kibana privileges. This issue affects Kibana from versions 8.10.0 through 8.15.0 and is critical due to its ease of exploitation and the potential for widespread impact.

Technical Key Findings

Attackers exploit this flaw by submitting a specially crafted YAML document that Kibana deserializes without proper validation. Once the malicious code is parsed, it can run on the server with elevated privileges, enabling arbitrary code execution.

The attacker must have the following Elasticsearch indices permissions;

• write access to system indices .kibana_ingest*
  
• The allow_restricted_indices flag needs to be set to true

The attacker must also have ANY of the following Kibana privileges;

• Under Fleet the All privilege is granted
• Under Integration the Read or All privilege is granted
• Access to the fleet-setup privilege is gained through the Fleet Server’s service account token## Vulnerable Products
• Kibana versions 8.10.0 to 8.15.0.

Impact Assessment

Successful exploitation could allow an attacker to execute arbitrary commands, leading to a complete system compromise. This could affect confidentiality, integrity, and availability, making it a high-risk issue for organizations relying on Kibana for data visualization and exploration.

Patches or Workaround

Upgrading to Kibana version 8.15.1 resolves this vulnerability. Additionally, limiting access to Elasticsearch indices and restricting Kibana privileges reduces exposure.

Tags

#CVE-2024-37285 #Kibana #ArbitraryCodeExecution #YAML #Deserialization #ElasticStack #CyberSecurity

"Critical RCE Flaw Uncovered in SolarWinds Access Rights Manager 🚨 #CVE2023-40057"

A newly discovered deserialization vulnerability in SolarWinds Access Rights Manager (versions up to 2023.2.2) poses a severe risk, enabling remote code execution. Classified as very critical with a CVSS score of 8.9, this flaw (CVE-2023-40057) could allow authenticated users to execute arbitrary code remotely. Despite its high impact on confidentiality, integrity, and availability, no exploit is currently available. The vulnerability underscores the importance of validating deserialized data to prevent unauthorized access. No mitigation measures have been identified yet, emphasizing the need for heightened vigilance and potential product alternatives.

Stay informed: CVE-2023-40057 Details

Tags: #CyberSecurity #Vulnerability #SolarWinds #RemoteCodeExecution #RCE #Deserialization #CVE2023-40057 #InfoSec 🛡️💡🔒

Today I learned - In Rust, you can deserialize types by attempting multiple options until one operation succeeds! ✨

🦀 **serde_with**: Custom de/serialization functions for Rust's serde.

⭐ GitHub: https://github.com/jonasbb/serde_with

🍕 For example, we can deserialize user ID from a number or string.

#rustlang #deserialization #serde #programming #library

Before the holiday break, I started looking at CVE-2022-1471 in Confluence and Bitbucket, which led me to trying to understand how SnakeYAML deserialization vulnerabilities actually work. It was quite the ride, full of open source drama and a plethora of related vulns. I wrote it all up in this blog post:

https://www.labs.greynoise.io/grimoire/2024-01-03-snakeyaml-deserialization/

#vuln #vulnerability #poc #java #deserialization #snakeyaml #yaml

I always used the serde crate for Rust - but today I found about another pretty-looking serialization framework! (plus it has a cool name!)

🦀 **rkyv** (*archive*): Zero-copy deserialization framework for Rust.

⭐ GitHub: https://github.com/rkyv/rkyv

#rustlang #library #deserialization

Here are some #tips for #testing #web #applications to identify potential #Insecure #Deserialization #vulnerabilities.

It is another article in the #AppSec Tales series. The #practical #guide for #Penetration #Testers and #Bug #Bounty #Hunters.

I hope you like it and enjoy reading it 💻

https://karol-mazurek95.medium.com/appsec-tales-xxiv-deserialization-841d6bfaa710

SnakeYaml 2.0: Solving the unsafe deserialization vulnerability https://t.co/Lo5o8SA8e8
#java #security #snakeyaml #deserialization https://t.co/HUFugtXp5g

PHP code review: is it open to object code injection through unserialize

https://security.stackexchange.com/questions/269314/php-code-review-is-it-open-to-object-code-injection-through-unserialize

#objectinjection #deserialization #codereview #cookies #php

Posted a technical #AttackerKB #writeup of CVE-2022-47986 (CVE_2022_47986 / #CVE202247986), a #Ruby #deserialization #vulnerability in IBM's Aspera software, which runs on a humorously old version of Ruby:

https://attackerkb.com/topics/jadqVo21Ub/cve-2022-47986/rapid7-analysis?source=mastodon

#VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive

CVE-2022-31706: VMware vRealize Log Insight #Directory #Traversal #Vulnerability

CVE-2022-31704: VMware vRealize Log Insight broken Access Control Vulnerability

CVE-2022-31710: VMware vRealize Log Insight #Deserialization Vulnerability

CVE-2022-31711: VMware vRealize Log Insight Information Disclosure Vulnerability

https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive/

Put APIs to Work wth this ArduinoJson Walkthrough - One of the things this community is famous for is the degree to which people will ... - https://hackaday.com/2021/05/28/put-apis-to-work-wth-this-arduinojson-walkthrough/ #applicationprogramminginterface #javascriptojectnotation #microcontrollers #deserialization #serialization #arduinojson #parsing #json #api