CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

PHP Object Injection

Security CWE-502 OWASP A8:2021 CVSS 9.8 PHP 5.0+ Advanced
debt(d5/e3/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5), semgrep/psalm/phpstan rules flag unserialize() of tainted input, but standard runtime gives no warning and the vulnerability is silent until exploited.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3), quick_fix is replacing unserialize() with json_decode() or adding allowed_classes: [] — pattern replacement but may require updating callers and data format migration.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3), unserialize call sites are typically scoped to session/cookie/cache handling components rather than spread across the whole architecture, though legacy apps using serialized sessions have wider reach.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), the misconception that gadget chains are rare contradicts reality — magic methods (__wakeup, __destruct) fire implicitly during unserialize, which competent devs don't expect from a 'parsing' function, and encoding/encryption mitigations feel safe but aren't.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

PHP unserialize attack object injection PHP deserialization

TL;DR

Passing attacker-controlled data to unserialize() triggers magic methods on existing classes, enabling code execution, file deletion, or SSRF.

Explanation

PHP Object Injection is the practical exploit of insecure deserialization. When unserialize() processes attacker-controlled input, it instantiates arbitrary classes already loaded in the application's autoloader and calls __wakeup(), __destruct(), and __toString() as part of reconstruction. Attackers craft Property Oriented Programming (POP) chains — sequences of magic method calls across multiple classes that together achieve a malicious effect. Tools like PHPGGC (PHP Generic Gadget Chains) automate POP chain generation for popular frameworks. The fix: never unserialize untrusted data.

How It's Exploited

An attacker crafts a serialized payload that, when deserialized, triggers a gadget chain: __destruct() on a file logger class calls unlink() with an attacker-controlled filename, deleting arbitrary files on the server.

Common Misconception

PHP object injection is only dangerous if the codebase has obvious gadget chains. Modern exploit tools automatically scan autoloaded classes for usable magic method chains — large applications with many dependencies almost always have exploitable gadgets.

Why It Matters

PHP's unserialize() invokes magic methods like __wakeup, __destruct, and __toString on attacker-crafted objects — existing classes in the application's autoloader can be chained into arbitrary code execution.

Common Mistakes

  • Passing user-controlled cookies, GET/POST parameters, or database values to unserialize().
  • Believing that base64 encoding or encryption of serialized data prevents injection — if the key is compromised or the encoding bypassable, it doesn't help.
  • Using serialize()/unserialize() for caching or session storage of user-controllable data.
  • Not auditing installed packages for gadget chains — popular frameworks have known deserialization gadgets.

Code Examples

✗ Vulnerable 
// Deserializing user-controlled data:
$prefs = unserialize(base64_decode($_COOKIE['user_prefs']));
// Attacker crafts a serialized object with __destruct that writes a webshell
✓ Fixed 
// Never unserialize user input — use JSON instead:
// Bad:
// $obj = unserialize($_COOKIE['prefs']);

// Safe: JSON for data exchange:
$prefs = json_decode($_COOKIE['prefs'] ?? '{}', true);
if (!is_array($prefs)) $prefs = [];

// If unserialize is absolutely needed, use allowed_classes:
$obj = unserialize($data, ['allowed_classes' => [SafeClass::class]]);
// Only SafeClass can be instantiated — gadget chains blocked

// Verify data integrity with HMAC before deserializing:
$expected = hash_hmac('sha256', $data, SECRET_KEY);
if (!hash_equals($expected, $signature)) {
    throw new SecurityException('Data tampered');
}
$obj = unserialize($data, ['allowed_classes' => false]);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 53

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping T 0 pings W 2 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 1 ping S 0 pings S 4 pings M 1 ping T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Perplexity 8 Amazonbot 7 Scrapy 6 ChatGPT 4 Ahrefs 4 Unknown AI 3 Google 2 Claude 2 Bing 1 Meta AI 1 Sogou 1 SEMrush 1 PetalBot 1
Also referenced
Insecure Deserialization 63 Magic Methods (__get, __set, __call…) 50 serialize() / unserialize() 46
How they use it
crawler 36 crawler_json 4 pre-tracking 1
Related categories
php 13k security 7.8k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Replace unserialize() with json_decode() — JSON cannot carry PHP class information so no objects are reconstructed; if you must unserialize, use allowed_classes: [] strictly
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
unserialize() of any user-supplied data; cookie session data stored as serialized PHP objects
Auto-detectable: ✓ Yes semgrep psalm phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: High Context: File Tests: Update
CWE-502
✓ schema.org compliant