Will It Vibe logoWill It Vibe?
INJECT-031High severity-15 points

unserialize() on request input (PHP)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

unserialize() on a superglobal ($_GET/$_POST/$_REQUEST/$_COOKIE) can trigger PHP object-injection gadget chains. Use json_decode for client data instead.

Why it matters

unserialize() on a superglobal reconstructs PHP objects from client-supplied data, which can trigger object-injection gadget chains that reach dangerous magic methods (__wakeup, __destruct). This is a direct path from request input to code execution.

How to fix it

Never unserialize client data. Use json_decode for structured input from clients. If you must accept serialized PHP, pass the allowed_classes option to unserialize to restrict it, and sign the payload so it cannot be tampered with. Prefer a signed JSON token over PHP serialization entirely.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks