Deserialization exploits are possible when an attacker modifies an object that an application or API subsequently deserializes. If any classes can change their behavior either during or after deserialization, then remote code execution is possible, which can cause serious damage. Data structures that contain access control related data may also be tampered with, which could give an attacker unauthorized access or privileges.

To be completely safe from this vulnerability, an application could simply not accept any serialized objects from untrusted sources. When that is not possible, integrity checks should be made on serialized objects (for example, using a digital signature). Code that deserializes objects should ...