Why deserialization vulnerability exists?

Deserialization exploits exist due to flaws in how applications handle serialized data. Serialization is the process of converting complex data structures (like objects) into a format that can be easily stored or transmitted (e.g., JSON, XML, or binary formats). Deserialization is the reverse process, where the serialized data is converted back into its original form (e.g., objects or data structures).

Deserialization exploits occur when an attacker can manipulate the serialized data in such a way that, when deserialized, it causes unintended behavior in the application.

In DotNetNuke, the main reason is lack of type checking when deserialize the serialized data.