PHP’s unserialize() can lead to arbitrary code execution if user-controlled input is deserialized. Use JSON or Magento’s safe serializers instead. Any unavoidable use of unserialize must enforce allowed class whitelists to prevent gadget chains and object injection.
PHP’s unserialize() function can be very dangerous if it processes data that an attacker controls.
Malicious serialized data can trigger “gadget chains” in PHP objects, leading to code execution, data theft, or denial of service.
In Magento, using JSON or Magento’s built-in serializers is much safer. If deserialization is unavoidable, strict class whitelists must be enforced. Without these protections, a single crafted payload could take full control of the store.
# Search custom code for use of unserialize()
grep -R "unserialize(" app/code
# Also check for related risky functions
grep -R "serialize(" app/codeunserialize(). Use json_decode() and json_encode() for safe data handling.\Magento\Framework\Serialize\Serializer\Json or Serialize\SerializerInterface).// Unsafe, unserializing user input
$data = unserialize($_POST['payload']);// Safe, using JSON
$data = json_decode($_POST['payload'], true);