CWE-502

CWE-502, known as "Deserialization of Untrusted Data," occurs when an application processes data received from an external source without proper validation. This can allow attackers to craft malicious data that, when deserialized (converted back into usable objects or data in the program), can cause the application to execute unintended actions, escalate privileges, or even take control of the system. Essentially, it’s like accepting and opening a package without checking what's inside, risking malicious contents. Proper validation and cautious handling of deserialized data are essential to prevent this security vulnerability.