This is an automated email from the ASF dual-hosted git repository.
jimin pushed a commit to branch docusaurus
in repository https://gitbox.apache.org/repos/asf/incubator-seata-website.git
The following commit(s) were added to refs/heads/docusaurus by this push:
new f93ca4866f3 add Serialization Security page (#1013)
f93ca4866f3 is described below
commit f93ca4866f3b8b92217ba82945b6c204d4c26407
Author: jimin <sliev...@163.com>
AuthorDate: Mon Aug 18 10:07:35 2025 +0800
add Serialization Security page (#1013)
Signed-off-by: slievrly <sliev...@163.com>
---
docs/security/serialization.md | 1 +
.../current/security/serialization.md | 25 ++++++++++++++++++++++
.../current/security/serialization.md | 25 ++++++++++++++++++++++
sidebars.js | 1 +
4 files changed, 52 insertions(+)
diff --git a/docs/security/serialization.md b/docs/security/serialization.md
new file mode 100644
index 00000000000..8f9293a8d53
--- /dev/null
+++ b/docs/security/serialization.md
@@ -0,0 +1 @@
+Placeholder. DO NOT DELETE.
diff --git
a/i18n/en/docusaurus-plugin-content-docs/current/security/serialization.md
b/i18n/en/docusaurus-plugin-content-docs/current/security/serialization.md
new file mode 100644
index 00000000000..ddf049784cf
--- /dev/null
+++ b/i18n/en/docusaurus-plugin-content-docs/current/security/serialization.md
@@ -0,0 +1,25 @@
+---
+title: serialization security
+keywords: [serialization,security]
+description: serialization security
+---
+
+# Serialization Security
+
+## Overview
+Seata supports the extension of serialization protocols for communication
transmission and database persistence fields. In theory, users can enable any
serialization protocol based on this extension mechanism, which offers
significant flexibility. However, it is critical to be aware of the inherent
security risks.
+Data deserialization is one of the most vulnerable points attackers may
exploit to execute Remote Code Execution (RCE) attacks, steal data, or
compromise server operations. Before switching to or implementing a
serialization protocol, users must thoroughly evaluate the security safeguards
of both the target protocol and its framework implementation. The Seata
framework itself cannot guarantee the security of any serialization mechanism
other than the default Seata serialization.
+
+The serialization protocols officially supported by Seata include:
+- Seata
+- Protobuf
+- Kryo
+- Hessian2
+- Fury
+- Fastjson2
+- FST
+
+For these serialization extensions, upon discovering or receiving
vulnerability reports, the Seata team will follow up and upgrade dependencies
to the latest secure versions. However, the final vulnerability resolution
depends on the implementation of the serialization framework.
+
+## Recommendations
+In scenarios without specific requirements, we strongly recommend using the
default Seata serialization. The Seata serialization implements custom Encode
and Decode logic for all Messages, with zero dependency on third-party
serialization frameworks, ensuring both performance and security.
diff --git
a/i18n/zh-cn/docusaurus-plugin-content-docs/current/security/serialization.md
b/i18n/zh-cn/docusaurus-plugin-content-docs/current/security/serialization.md
new file mode 100644
index 00000000000..5fd582030e6
--- /dev/null
+++
b/i18n/zh-cn/docusaurus-plugin-content-docs/current/security/serialization.md
@@ -0,0 +1,25 @@
+---
+title: 序列化安全
+keywords: [序列化,安全]
+description: 序列化安全
+---
+
+# 序列化安全
+
+## 概述
+Seata
支持通信传输和数据库持久化字段的序列化协议扩展,理论上用户可以基于该扩展机制启用任意的序列化协议,这带来了极大的灵活的,但同时也要意识到其中潜藏的安全性风险。
+数据反序列化是最容易被被攻击者利用的一个环节,攻击者利用它执行 RCE 攻击等窃取或破坏服务端数据。 用户在切换序列化协议或实现前,
应充分调研目标序列化协议及其框架实现的安全性保障。 Seata 框架自身并不能直接保证除默认提供的Seata序列化外的其他目标序列化机制的安全性。
+
+Seata 官方提供的序列化包括以下几种:
+- Seata
+- Protobuf
+- Kryo
+- Hessian2
+- Fury
+- Fastjson2
+- FST
+
+针对以上序列化扩展,在发现或收到相关的漏洞报告之后,Seata 官方会跟进并升级依赖到最新的安全版本,但最终的漏洞修复方案取决于序列化的框架实现。
+
+## 建议
+在无特殊需求的场景下,我们强烈建议您使用默认的 Seata 序列化,Seata 序列化对所有使用的 Message 做了Encode和 Decode
的实现,在实现中完全不依赖任何序列化框架,以保证性能和安全性。
diff --git a/sidebars.js b/sidebars.js
index 8012fdd30c1..37b08a5f48e 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -192,6 +192,7 @@ const sidebars = {
collapsible: false,
items: [
'security/secret-key',
+ 'security/serialization',
],
},
],
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@seata.apache.org
For additional commands, e-mail: notifications-h...@seata.apache.org
