CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

serialize() / unserialize()

PHP CWE-502 OWASP A8:2021 CVSS 9.8 PHP 5.0+ Intermediate
debt(d5/e3/b5/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5), semgrep/psalm/phpstan rules can flag unserialize() on untrusted input, but it's silent at runtime and not caught by default linters.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3), quick_fix is replacing serialize/unserialize with json_encode/json_decode — a pattern swap, but it touches each call site and may require data migration if serialized data is already persisted.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5), applies across web/cli/queue contexts; once serialized data is stored in DB/cookies/sessions, the format choice shapes ongoing maintenance and migration work.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), the misconception that serialize() is safe for caching contradicts safer norms in other languages — unserialize() silently instantiates arbitrary classes and triggers magic methods, enabling object injection in a way most devs don't anticipate.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

serialize() unserialize() PHP object serialization

TL;DR

PHP's native serialisation functions can trigger arbitrary code execution via magic methods when deserialising untrusted data.

Explanation

unserialize() reconstructs PHP objects from a string, invoking magic methods like __wakeup() and __destruct() in the process. If the serialised payload is attacker-controlled, they can craft a Property Oriented Programming (POP) chain using classes already loaded in the application to achieve arbitrary code execution — a PHP Object Injection attack. Never call unserialize() on user-supplied input. Use JSON (json_encode/json_decode) for data exchange; if serialisation is required, use authenticated, signed payloads or a safe serialisation library.

Common Misconception

serialize() is safe to use for caching any PHP object. serialize()/unserialize() on untrusted data triggers PHP object injection. For caching, use json_encode() for data structures or explicitly allowlist trusted classes via unserialize($data, ['allowed_classes' => [SpecificClass::class]]).

Why It Matters

serialize() converts PHP values to a storable string representation — passing serialized user input back to unserialize() is one of PHP's most dangerous patterns, enabling object injection attacks.

Common Mistakes

  • Unserializing any user-controlled data — cookies, URL parameters, database values from untrusted sources.
  • Using serialize() for data exchange between systems — use JSON instead; it cannot trigger PHP object instantiation.
  • Not using allowed_classes option in unserialize() to restrict which classes can be instantiated.
  • Storing serialized data in cookies — the cookie is user-controlled and can be replaced with a crafted payload.

Code Examples

✗ Vulnerable 
$obj = unserialize($_COOKIE['data']); // attacker-controlled
✓ Fixed 
$data = json_decode(base64_decode($_COOKIE['data']), true); // use JSON for simple data
Added 15 Mar 2026
Edited 22 Mar 2026
Views 57

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 2 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 5 pings M 1 ping T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
ChatGPT 9 Amazonbot 6 Perplexity 5 Google 5 Scrapy 5 Ahrefs 4 SEMrush 4 Claude 2 PetalBot 2 Qwen 1 Unknown AI 1 Meta AI 1 Bing 1
Also referenced
Insecure Deserialization 63 Eval Injection 59
How they use it
crawler 42 crawler_json 4
Related categories
php 13k security 7.8k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Replace serialize()/unserialize() with json_encode()/json_decode() for data persistence — JSON is safer (no object instantiation), human-readable, and language-agnostic
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
serialize() data stored in database or cookie; unserialize() of any user-controlled or untrusted data; session data serialised as PHP objects
Auto-detectable: ✓ Yes semgrep psalm phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File Tests: Update
CWE-502
✓ schema.org compliant