mcp-server-semgrep/semgrep-rules/python/lang/security/deserialization/avoid-jsonpickle.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: avoid-jsonpickle
  patterns:
  - pattern: |
      jsonpickle.decode($PAYLOAD,...)
  - pattern-not: |
      jsonpickle.decode("...",...)
  metadata:
    owasp:
    - A08:2017 - Insecure Deserialization
    - A08:2021 - Software and Data Integrity Failures
    cwe:
    - 'CWE-502: Deserialization of Untrusted Data'
    references:
    - https://github.com/jsonpickle/jsonpickle#jsonpickle
    - https://www.exploit-db.com/exploits/49585
    category: security
    technology:
    - jsonpickle
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: MEDIUM
    confidence: LOW
  message: >-
    Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities.
    When unpickling, the serialized data could be manipulated to run arbitrary code.
    Instead, consider serializing the relevant data using `json` module.
  languages: [python]
  severity: WARNING