—

Why it Matters

PHP’s unserialize() function can be very dangerous if it processes data that an attacker controls. Malicious serialized data can trigger “gadget chains” in PHP objects, leading to code execution, data theft, or denial of service.

In Magento, using JSON or Magento’s built-in serializers is much safer. If deserialization is unavoidable, strict class whitelists must be enforced. Without these protections, a single crafted payload could take full control of the store.

Verification Steps

# Search custom code for use of unserialize()
grep -R "unserialize(" app/code

# Also check for related risky functions
grep -R "serialize(" app/code

Remediation / Fix Guidance

1. Avoid unserialize(). Use json_decode() and json_encode() for safe data handling.
2. If deserialization is required, use Magento’s safe serializer (\Magento\Framework\Serialize\Serializer\Json or Serialize\SerializerInterface).
3. Enforce strict class whitelists when deserialization cannot be avoided.
4. Review all third-party extensions for unsafe serialization usage.

Examples

// Unsafe, unserializing user input
$data = unserialize($_POST['payload']);

// Safe, using JSON
$data = json_decode($_POST['payload'], true);

References

• OWASP Top 10 — A08: Software and Data Integrity Failures
• OWASP — PHP Object Injection