greprules.io
Sign inSubmit rule
Explore/cve-2024-54135-php-unserialize-user-input

CVE-2024-54135: Php Unserialize User Input

User-controlled input flows into PHP's unserialize() (often via base64_decode). Calling unserialize() on attacker-controlled data allows instantiation of arbitrary objects whose magic methods (__wakeup, __destruct, __toString, etc.) execute automatically, enabling PHP Object Injection / gadget-chain exploitation (CWE-502). Use json_decode() with json_encode(

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0php
greprules fetch cve-2024-54135-php-unserialize-user-input --engine opengrep

Description

User-controlled input flows into PHP's unserialize() (often via base64_decode). Calling unserialize() on attacker-controlled data allows instantiation of arbitrary objects whose magic methods (__wakeup, __destruct, __toString, etc.) execute automatically, enabling PHP Object Injection / gadget-chain exploitation (CWE-502). Use json_decode() with json_encode(

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
108 downloads0 direct108 via packs
· 0 stars · Trust score 73How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata