Home

deserializer

A deserializer is a software component that converts data from a serialized, or encoded, representation back into a usable in-memory data structure or object. It is the counterpart to a serializer, which encodes data for storage or transmission. Deserializers support a range of formats, including JSON, XML, YAML, Protocol Buffers, MessagePack, and various custom binary encodings. They are used when receiving data over networks, reading files, or reconstructing objects after inter-process communication.

How deserialization works varies by format, but generally involves parsing the input to recover primitive values

Security is a central concern in deserialization. Deserializing untrusted data can enable attacks such as remote

Deserializers vary in scope and behavior. General-purpose libraries aim to support many data shapes, while streaming

(numbers,
strings,
booleans)
and
then
reassembling
complex
structures
such
as
arrays,
maps,
and
object
graphs.
Some
formats
carry
type
information
or
class
metadata
to
aid
reconstruction.
Deserializers
may
perform
strict
type
checking,
handle
references
and
cycles,
and
support
streaming
or
incremental
parsing
for
large
data
sets.
code
execution,
object
injection,
or
denial
of
service.
Risks
arise
when
the
deserializer
creates
instances
of
classes
or
executes
constructors
during
the
process.
Mitigations
include
avoiding
arbitrary
object
deserialization,
validating
input,
using
formats
that
do
not
embed
executable
type
information,
applying
strict
schemas
or
whitelists,
and
leveraging
cryptographic
signing
and
integrity
checks.
deserializers
process
data
in
chunks
to
reduce
memory
usage.
Some
languages
provide
safer
deserialization
options
or
require
explicit
configuration
to
minimize
risk.