Marshal.load / YAML.load on a blob (Ruby)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Marshal.load and YAML.load reconstruct arbitrary Ruby objects, which is remote code execution on untrusted input. Use JSON.parse for data, or YAML.safe_load with an allowlist.
Why it matters
Marshal.load and YAML.load rebuild arbitrary Ruby objects from the serialized data, so on untrusted input they are remote code execution through object and gadget chains. Marshal is meant only for data you produced yourself.
How to fix it
Use JSON.parse for data received from clients or other services. For YAML from untrusted sources use YAML.safe_load with an explicit permitted-classes allowlist. Reserve Marshal for internal, trusted data such as your own cache entries, and never expose that channel to users.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo