Safeguard
Vulnerabilities

Java Vulnerability Classes: A Reference List

A java vulnerability list organized by class — deserialization, injection, XXE, and the rest — because Java's ecosystem produces a specific, recurring set of vulnerability patterns worth knowing by name.

Safeguard Research Team
Research
5 min read

A useful java vulnerability list isn't just a set of CVE numbers — it's organized around the recurring vulnerability classes that Java's ecosystem produces again and again, because a small number of patterns account for a disproportionate share of real findings across Java codebases. This is a reference list by class, with what causes each and how it typically gets found.

What are the most common Java vulnerability classes?

Insecure deserialization

Java's native serialization mechanism (ObjectInputStream.readObject()) reconstructs arbitrary objects from a byte stream, and if that stream is attacker-controlled, deserializing it can trigger a chain of method calls ("gadget chain") that leads to remote code execution — without the application ever explicitly calling anything resembling exec(). This class became infamous following widespread exploitation tied to common libraries like Apache Commons Collections, and it remains one of the highest-severity classes in the Java ecosystem because it frequently leads directly to RCE.

XML External Entity (XXE) injection

Java's default XML parser configurations (in libraries like javax.xml.parsers and various third-party parsers) have historically processed external entity references by default, which lets an attacker who controls XML input read arbitrary local files, perform server-side request forgery, or cause denial of service, simply by including a malicious DOCTYPE declaration. The fix is straightforward (disable external entity resolution explicitly) but the vulnerable default is easy to miss.

SQL and other injection

Classic injection — building queries or commands by concatenating untrusted input rather than using parameterized queries — remains common in Java applications that bypass JPA/Hibernate's parameterized query support in favor of hand-built JDBC strings, or that construct OS commands, LDAP queries, or expression-language statements from user input.

Path traversal

Java web applications that build filesystem paths from user input (a filename parameter used to serve or read a file) without properly validating and normalizing the path are vulnerable to ../ sequences that let an attacker read or write files outside the intended directory.

Expression Language (EL) and OGNL injection

Frameworks that evaluate expression languages against user-influenced input — Spring's SpEL, Struts' OGNL — have produced some of the most severe Java framework vulnerabilities on record, since a successful injection into the expression evaluator frequently yields direct remote code execution.

Server-Side Request Forgery (SSRF)

Java applications that fetch a URL supplied by user input (webhooks, image-fetching features, URL preview generators) without restricting the destination can be tricked into making requests to internal-only services, cloud metadata endpoints, or other systems the attacker couldn't reach directly.

Insecure use of reflection

Java's reflection API lets code invoke methods and access fields dynamically by name, which is powerful for frameworks but dangerous when the class or method name comes from untrusted input — it can be abused to bypass access modifiers, invoke unintended methods, or contribute to deserialization gadget chains.

Vulnerable and outdated dependencies

Not a code pattern so much as a supply-chain fact: Java's dependency ecosystem (Maven Central, primarily) has produced some of the most widely felt vulnerabilities in the industry's recent history, where the vulnerability lives entirely in a third-party library rather than in any code the application team wrote themselves.

Why do these particular classes keep showing up in Java specifically?

A few structural reasons: Java's serialization mechanism is unusually powerful and unusually dangerous when exposed to untrusted input, in a way many other mainstream languages simply don't replicate by default. Java's enterprise frameworks (Spring, Struts, and others) lean heavily on expression languages and reflection for flexibility, which creates injection surface that a simpler framework wouldn't have. And Java's dependency ecosystem is large, deep, and often transitively inherited many layers down, which means a vulnerable library can end up in an application without any developer having directly chosen it.

How should a team actually use a vulnerability class list like this?

Treat it as a checklist for code review and static analysis tuning, not a memorization exercise. Static analysis (SAST) tools generally have specific rules for each of these classes — insecure deserialization sinks, unsafe XML parser configuration, unparameterized query construction — and knowing the class names helps you interpret a scanner's findings correctly rather than treating every alert as an undifferentiated "vulnerability." For the dependency-driven classes specifically, SCA scanning against Maven Central's known-vulnerability data is the mechanism that actually catches them, since no amount of reviewing your own code finds a bug that lives entirely in a library you imported.

FAQ

What's the most severe Java vulnerability class?

Insecure deserialization is generally considered the most severe, because a successful exploit frequently leads directly to remote code execution through a gadget chain, often without any obvious "dangerous function call" in the vulnerable code itself.

How do you prevent XXE vulnerabilities in Java?

Explicitly disable external entity and DTD processing on whichever XML parser you're using — the vulnerable behavior is a default setting, not something you have to opt into, which is exactly why it's so commonly missed.

Are Java framework vulnerabilities (Spring, Struts) different from vulnerabilities in application code?

They're a subset of the same classes (often injection or deserialization) but scoped to the framework itself rather than code you wrote — which means they arrive and get fixed via framework updates, making them a dependency-management problem as much as a code problem.

Does using a modern framework like Spring Boot eliminate these vulnerability classes?

No — modern frameworks reduce some risk through safer defaults, but every class on this list has appeared in Spring or Spring Boot applications at some point. Framework choice reduces likelihood, not possibility.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.