NotSoCereal-Lab: A Deserialization exploit playground

Man on laptop

TL;DR: NotSoSecure is releasing a new VM to hone your Deserialization skills at

Deserialization issues are the newest trend in information security. They rose to fame with the infamous Java deserialization bugs, however, the issues are not just limited to one language. Serialization and Deserialization are common actions performed in almost all modern programming languages.

As notorious as these issues are, there is a serious lack of playgrounds for honing your skill in such topics. Enter NotSoCereal.

NotSoCereal is an exploitation playground from NotSoSecure for deserialization issues. At this point, it contains issues in Java, PHP, Python and Node. We are working to make more languages available.

We have created labs for the following programming languages:

  • Java

  • PHP

  • Python

  • Node

Below is a sneak peek of our labs once fully deployed on a local machine:

Labs once fully deployed on a local machine

You can also use our “Serialized Payload Generator” tool ( to help solve the above challenges. 

!! Spoiler Alert !!

And if you get stuck with any of the above challenges, the answers  are available via the following links:

Please find the VM and deployment guide at