Java object deserialization of user-supplied data
Description
The application accepts user-supplied data and deserializes it into Java objects without proper validation. Java deserialization converts byte streams back into objects, and when performed on untrusted input, attackers can craft malicious serialized objects that execute arbitrary code during the deserialization process. This vulnerability is particularly dangerous because exploitation does not require application-specific flaws—only the presence of certain common libraries in the classpath.
Remediation
Avoid deserializing user-supplied data entirely. If deserialization is absolutely necessary, implement the following security controls:
1. Use Safe Data Formats: Replace Java serialization with safer alternatives such as JSON or XML with strict schema validation.
2. Implement Deserialization Filters: If you must use Java deserialization (Java 9+), use deserialization filters to whitelist allowed classes:
ObjectInputStream ois = new ObjectInputStream(inputStream);
ois.setObjectInputFilter(ObjectInputFilter.Config.createFilter(
"com.yourcompany.safe.Class1;com.yourcompany.safe.Class2;!*"
));3. Use Look-Ahead Deserialization: For Java 8 and earlier, implement libraries like SerialKiller or NotSoSerial to validate class types before deserialization.
4. Apply Defense in Depth: Run the application with minimal privileges, remove unnecessary libraries from the classpath (especially Apache Commons Collections 3.x), and monitor for suspicious deserialization activity.