Deserialization is the process of turning stored or transmitted data back into a live object that software can use. In web applications, that may mean rebuilding session state, configuration, or page data from a file, cookie, or hidden form field. The process is useful because it lets programs save complex state and restore it later, but it also creates a trust boundary: the application must assume the input is well-formed and untampered.
In cyber security, deserialization becomes dangerous when attacker-controlled data is accepted without strict validation or integrity protection. A crafted payload can trigger unexpected object behavior, bypass checks, or even lead to remote code execution if dangerous classes or methods are reachable. Defenders reduce this risk by avoiding unsafe formats, signing or encrypting state, restricting allowed object types, and treating all serialized input as untrusted. In ASP.NET and similar platforms, weak key handling can turn ordinary state restoration into an attack path.



