Which vulnerability involves maliciously crafted serialized data that, when deserialized, can execute code or alter behavior?

Insecure deserialization happens when an application deserializes data from an untrusted source and the reconstruction process can run code or alter how the program behaves. The serialized payload can be crafted to exploit the deserializer’s trust in the data, triggering methods or gadget chains during reconstruction that execute actions with elevated privileges or change the program’s state. This is what makes it a vulnerability: the security risk arises specifically from deserializing untrusted input without proper safeguards. The other ideas describe different issues—deserialization is just the process itself, parameter/form tampering targets inputs in transit, and unvalidated redirects deal with unsafe navigation—so they don’t capture the risk of executing code or changing behavior through crafted serialized data. To mitigate, avoid deserializing untrusted data, use integrity checks or signatures, restrict which types can be deserialized, and prefer safer serialization methods or updated frameworks.