Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects


This post discusses how dangerous code can be sent to a server via JSON, due to unsafe deserialization vulnerabilities, potentially allowing an attacker to execute arbitrary commands remotely. Such vulnerabilities exist if the code on the server has unsafe deserialization, where arbitrary classes or class-like structures are deserialized from data controlled by the user. It offers guidance on how developers can detect such vulnerabilities, how they work, and how they can be exploited, particularly using Ruby-based JSON deserialization library, Oj.

read full post