mutated × unstructured — blows up live on input you didn't expect
Deserialized Type Confusion Crash
A payload reconstructs an object of an unexpected shape; the code mutates it as the type it assumed, and crashes on the first attribute that isn't there.
01the recipe
In the wild
compound ofInsecure DeserializationCWE-502 Unsafe Deserializationthis MutationCWE-471 MAID (Modification of Immutable Data)compoundCWE-704 Bad CastCWE-843 Type Confusion
example.py
# SMELL: trust the deserialized shape, then mutate it as the assumed type.
# (insecure deserialization x this-mutation)
data = json.loads(body) # could be a list, str, number -- anything
data["seen"] = True # assumes a dict; TypeError on a list/str
return save(data)
# RIGHT: parse into a known type at the boundary; reject the rest.
raw = json.loads(body)
if not isinstance(raw, dict):
raise BadRequest("object expected")
record = Record(**raw) # validated shape; safe to mutate
record.seen = True
return save(record)json.loads returns whatever the payload encodes; treating it as a dict and mutating it crashes the moment a client sends a list or scalar. Parse the untrusted bytes into a known type at the boundary (parse, don't validate) so the rest of the code operates on a shape it can trust.
// observed
trusting: TypeError: 'list' object does not support item assignment right: shape validated at the edge; a bad payload fails with a clear 400
02weakness catalog
Mapped weaknesses (CWE)
On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.