Deserialization
What is it?
Deserialization is the reverse of serialization: turning stored or transmitted data (like JSON or bytes) back into in-memory objects a program can use.
Explain like I'm 5
Why was it created?
Data arrives as text or bytes, but programs work with objects. Deserialization was created to reconstruct usable structures from that data.
Where is it used?
- Parsing API responses
- Loading saved data
- Receiving messages between services
- Reading cached values
Why should developers care?
Reading API responses, files, and messages all rely on deserialization — and it's a common source of bugs and security issues.
How does it work?
A deserializer reads the data in its format (e.g. JSON), validates and maps fields to an object's structure, and produces an in-memory object the program can work with.
Real-world example
A client receives JSON from an API and deserializes it into a User object so the rest of the code can use its fields directly.
Common use cases
- Reading API bodies
- Restoring saved state
- Consuming messages
- Loading configuration
Advantages
- Turns portable data back into usable objects
- Enables working with received data
- Supports many formats
- Often automatic in frameworks
Disadvantages
- Untrusted input is a real security risk
- Format/schema mismatches cause errors
- Can be slow for large payloads
- Needs validation
When should you use it?
Whenever your program receives or loads serialized data it must use as objects.
When should you avoid it?
Not avoidable when consuming external data; the key is doing it safely with validation.
Alternatives
Related terms
Interview questions
Beginner
- What is deserialization?
- How does it relate to serialization?
Intermediate
- Why validate deserialized input?
- What can go wrong with mismatched schemas?
Senior
- What are deserialization security risks (e.g. untrusted input)?
- How do you safely deserialize data from external sources?
Common misconceptions
- "Deserialization is harmless parsing" — deserializing untrusted data is a well-known security risk and must be validated.
- "Serialization and deserialization are one step" — they're inverse operations: one writes, the other reads.
Fun facts
- Insecure deserialization has appeared on lists of top web security risks.
- It's the inverse of serialization, sometimes called unmarshalling.
Timeline
- 2000s — JSON parsing becomes ubiquitous on the web
Learning resources
Quick summary
Deserialization reconstructs in-memory objects from serialized data like JSON or bytes, so received or stored data becomes usable — validate untrusted input.
Cheat sheet
- Portable format → object
- Inverse of serialization
- Validate untrusted input
- Common security pitfall