https://www.secdev.uk/blog/tags/cwe-829/ Recent content in CWE-829 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 10 May 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-05-10-integrity-failures/ Sat, 10 May 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-05-10-integrity-failures/ <p>Integrity failures happen when an application trusts data or code that hasn&rsquo;t been verified, and they can lead to some of the most devastating compromises out there. OWASP A08 covers two patterns I find particularly fascinating: unsafe deserialization (CWE-502), where untrusted data is fed into a deserializer that can execute arbitrary code, and inclusion of functionality from untrusted sources (CWE-829), where the application loads and runs code from URLs, plugins, or scripts without integrity checks. Both patterns share a root cause, the application assumes that incoming data or code is benign. In this post I&rsquo;ll walk through Python, Java, JavaScript, and Go, from the textbook <code>pickle.loads()</code> to the subtle VM sandbox escapes that can survive expert review.</p>