🌐
PortSwigger
portswigger.net › web-security › deserialization
Insecure deserialization | Web Security Academy
These checks are also fundamentally flawed as they rely on checking the data after it has been deserialized, which in many cases will be too late to prevent the attack. Vulnerabilities may also arise because deserialized objects are often assumed to be trustworthy.
🌐
Oracle
docs.oracle.com › en › java › javase › 21 › core › addressing-serialization-vulnerabilities.html
Addressing Deserialization Vulnerabilities - Java
October 20, 2025 - For example, if object construction has side effects that change state or invoke other actions, then those actions can compromise the integrity of application objects, library objects, and even the Java runtime. "Gadget classes," which can perform arbitrary reflective actions such as create classes and invoke methods on them, can be deserialized maliciously to cause a denial of service or remote code execution.
Discussions
contrast-rO0 - a better fix for the java deserialization vulnerability

It's not really a fix, but a way to mitigate the exploitation. Your application can still have other usable classes that can be used.

More on reddit.com
🌐 r/netsec
5
27
November 13, 2015
Unsafe deserialization in SnakeYaml - Exploring CVE-2022-1471
Why no fancy Snake4Shell name? Just kidding, please don't do that. Deserialization is always a big security concern, especially if it's from outside sources. More on reddit.com
🌐 r/java
19
62
December 15, 2022
Is serialization considered a security risk?

No, the real risk with Java is that objects could be created arbitrarily with serialization and deserialization. This means if you can inject a crafted serialized object into the program's input, you could create any object and anything in that object's constructor or destructor or whatever would run. It just wasn't safe, it was a bad idea to have or use publicly such a flexible method to serialize and deserialize objects.

With Rust and Serde, you have a much more strict, defined deserialization process. If you have a struct with a few fields and you want to deserialize that from JSON, that's all that's going to be deserialized. Arbitrary objects cannot be created in the same way. It's not vulnerable to the class of vulnerabilities discussed in the article above.

More on reddit.com
🌐 r/rust
39
32
May 27, 2018
Jackson deserialization vulnerability and RCE using JDBC/H2 driver

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 is really integral here (and the authors do link it!).

Jackson with enableDefaultTyping can never be secure - the attack surface is simply too large. We had this very same problem with normal java serialization. You should never deserialize untrusted data with default typing enabled (and contrary to the name, it is not actually enabled by default).

If you know this, the recent Jackson RCEs are completely irrelevant to you. This actually makes the hundreds of mails I receive from github about the "next best" jackson CVE in my github projects really annoying, because they're never actually exploitable if you don't do dumb shit.

More on reddit.com
🌐 r/netsec
2
12
July 23, 2019
Videos
52:13
🌐 YouTube
Deserialization exploits in Java: why should I care? - YouTube
August 15, 2023
150
47:33
🌐 YouTube
Deserialization exploits in Java: why should I care? by Brian Vermeer ...
October 14, 2022
08:52
🌐 YouTube
Insecure Deserialization Attack Explained - YouTube
January 24, 2021
11:17
🌐 YouTube
Exploit Java Deserialization | Discovering Insecure Deserialization ...
September 22, 2021
7.38K
08:18
🌐 YouTube
Exploit Java Deserialization | Understanding Serialized Data - YouTube
December 30, 2020
View all
View all
🌐
NIST
nvd.nist.gov › vuln › detail › CVE-2026-20131
NVD - CVE-2026-20131
March 4, 2026 - This is a potential security issue, you are being redirected to https://nvd.nist.gov · Official websites use .gov A .gov website belongs to an official government organization in the United States
🌐
OWASP Foundation
owasp.org › www-community › vulnerabilities › Insecure_Deserialization
Insecure Deserialization | OWASP Foundation
Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution (RCE) attacks. Suppose a Java application uses the native Java serialization to save a Cookie object to the user’s hard drive.
🌐
GitHub
github.com › GrrrDog › Java-Deserialization-Cheat-Sheet
GitHub - GrrrDog/Java-Deserialization-Cheat-Sheet: The cheat sheet about Java Deserialization vulnerabilities · GitHub
A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries.
Starred by 3.2K users
Forked by 601 users
🌐
Waratek
waratek.com › home › blogs › attack prevention › what is a java deserialization vulnerability?
What is a Java Deserialization Vulnerability? - Waratek
January 30, 2023 - A Java deserialization vulnerability occurs when a Java application deserializes untrusted data and is a seldom-mentioned yet massive Application Security issue.
🌐
Red Hat
redhat.com › en › blog › jdk-approach-address-deserialization-vulnerability
JDK approach to address deserialization vulnerability
November 17, 2025 - While Java deserialization is not a vulnerability itself, deserialization of untrusted data using JDK's native serialization framework is. It is important to differentiate between the two, as the latter is introduced by a bad application design ...
Find elsewhere
🌐
Snyk
snyk.io › blog › serialization-and-deserialization-in-java
Serialization and deserialization in Java | Snyk Blog | Snyk
December 18, 2020 - A Java deserialize vulnerability is a security vulnerability that occurs when a malicious user tries to insert a modified serialized object into the system in order to compromise the system or its data.
🌐
OWASP
owasp.org › www-chapter-stuttgart › assets › slides › 2024-12-10_Exploiting_deserialization_vulnerabilities_in_recent_Java_versions.pdf pdf
Autor Date Exploiting deserialization vulnerabilities in recent Java versions
December 10, 2024 - Deserialization vulnerability · • Bytestream contains class information, which class will be deserialized · • Attackers control this information, forcing the deserialization of a · different object that the one that is expected · • Still one of the most common ways to get Remote Code ...
🌐
Baeldung
baeldung.com › home › java › core java › deserialization vulnerabilities in java
Deserialization Vulnerabilities in Java | Baeldung
June 24, 2025 - Some deserialization exploits allow an attacker to execute custom Java code that could lead to denial of service attacks, stealing of user session or unauthorized access to resources.
🌐
CSO Online
csoonline.com › home › security › application security
Java deserialization vulnerabilities explained and how to defend against them | CSO Online
August 26, 2021 - For example, in July this year, a critical vulnerability (CVE-2021-35464) in ForgeRock’s OpenAM stemmed from unsafe Java deserialization in the Jato framework used by the application. Through a simple GET request, an attacker could send a crafted serialized object to the server and execute their malicious code.
🌐
Snyk Learn
learn.snyk.io › home › security education › insecure deserialization | tutorials & examples
Insecure Deserialization | Tutorials & Examples | Snyk Learn
March 25, 2022 - An insecure implementation trusts the incoming data too much, failing to use serde's protective features or to validate the application's state after deserialization. Now, let’s use a utility from Google: jdeserialize.
🌐
Dark Reading
darkreading.com › home › application security
Why The Java Deserialization Bug Is A Big Deal
October 17, 2023 - The so-called Java deserialization vulnerability affects virtually all apps that accept serialized Java objects and gives attackers a way to gain complete remote control of an app server.
🌐
Broadcom
knowledge.broadcom.com › external › article › 7834 › java-deserialization-vulnerability-with.html
Java Deserialization Vulnerability with Service Catalog
February 5, 2024 - Security software tools detected the "“Java Deserialization Vulnerability” on Service Catalog Server
🌐
GitHub
github.com › Jake-Schoellkopf › Insecure-Java-Deserialization
GitHub - Jake-Schoellkopf/Insecure-Java-Deserialization · GitHub
Both CVEs describe a vulnerability in the Jackson library, and this vulnerability allows attackers to exploit deserialization to achieve Remote Code Execution (RCE) on a server. This is accomplished through enabling "Default Typing" in Jackson ...
Author   Jake-Schoellkopf
🌐
PortSwigger
portswigger.net › web-security › deserialization › exploiting
Exploiting insecure deserialization vulnerabilities | Web Security Academy
Even if you don't have access to the source code, you can use these tools to both identify and exploit insecure deserialization vulnerabilities with relatively little effort. This approach is made possible due to the widespread use of libraries that contain exploitable gadget chains. For example, if a gadget chain in Java's Apache Commons Collections library can be exploited on one website, any other website that implements this library may also be exploitable using the same chain.
🌐
GitHub
github.com › swisskyrepo › PayloadsAllTheThings › blob › master › Insecure Deserialization › Java.md
PayloadsAllTheThings/Insecure Deserialization/Java.md at master · swisskyrepo/PayloadsAllTheThings
DirectDefense/SuperSerial-Active - Java Deserialization Vulnerability Active Identification Burp Extender
Author   swisskyrepo
🌐
OWASP Cheat Sheet Series
cheatsheetseries.owasp.org › cheatsheets › Deserialization_Cheat_Sheet.html
Deserialization - OWASP Cheat Sheet Series
2. XStream with fromXML method (xstream version <= v1.4.6 is vulnerable to the serialization issue) ... If the captured traffic data includes the following patterns, it may suggest that the data was sent in Java serialization streams: ... If there are data members of an object that should never be controlled by end users during deserialization or exposed to users during serialization, they should be declared as the transient keyword (section Protecting Sensitive Information).
🌐
Google Cloud
cloud.google.com › blog › topics › threat-intelligence › hunting-deserialization-exploits
Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits | Google Cloud Blog
March 25, 2024 - Just last week, a JNDI command injection 0-day was released for the log4j Java logging package (CVE-2021-44228). For this blog post, we will limit our scope to attacks that occur over HTTP. This will allow us to focus our initial research while targeting the majority of deserialization exploitation attempts. While any language can theoretically be at risk, some of the common languages/object types exploited with this class of vulnerability are serialized Java objects, .NET ViewStates, pickled Python objects, and serialized PHP objects.
Related queries
java deserialization vulnerability list
deserialization vulnerability example
java deserialization vulnerability example
java deserialization vulnerability fix
deserialization vulnerability java server
r insecure deserialization vulnerability
deserialization vulnerability java github
deserialization vulnerability java example