java-deserialization
Safeguard articles tagged "java-deserialization" — guides, analysis, and best practices for software supply chain and application security.
10 articles
Java deserialization gadget chains explained
One 2015 talk and a tool called ysoserial turned ordinary Java libraries into remote code execution chains — here's how gadget chains work and how to stop them.
Apache Commons Collections deserialization gadget RCE (CVE-2015-7501)
A decade-old Apache Commons Collections deserialization gadget chain still enables unauthenticated RCE across legacy Java middleware. Here's how to find and fix it.
Jackson-databind gadget chain RCE (CVE-2019-12384)
CVE-2019-12384 lets attacker-controlled JSON trigger a jackson-databind gadget chain via Logback, turning polymorphic deserialization into remote code execution.
Apache Commons FileUpload RCE (CVE-2016-1000031)
CVE-2016-1000031 is a critical Apache Commons FileUpload deserialization RCE that still lurks in transitive Java dependencies years after its fix.
Apache Shiro remember-me cookie deserialization RCE (CVE-2016-4437)
Apache Shiro's default rememberMe cipher key enables unauthenticated Java deserialization RCE. Here's how CVE-2016-4437 works and how to fix it.
Java deserialization gadget chains explained
Java deserialization gadget chains turn trusted classpath libraries into RCE. Learn how they work, key CVEs like CVE-2015-4852, and how to detect them.
Jenkins CLI Java Deserialization Remote Code Execution (C...
CVE-2017-1000353 let attackers gain unauthenticated RCE on Jenkins via CLI Java deserialization. Here's the impact, timeline, and how to remediate it.
CVE-2019-12814: Jackson-databind polymorphic type gadget ...
A look at CVE-2019-12814, a jackson-databind polymorphic typing gadget tied to JAXB classes, its risk profile, and how to remediate it in modern Java stacks.
CVE-2019-14379: Jackson-databind deserialization via jdk....
CVE-2019-14379 lets attackers abuse jackson-databind's polymorphic deserialization via a JDK Nashorn gadget class. Here's the risk, fix, and detection guidance.
CVE-2016-1000027: Remote code execution via Spring HttpIn...
A decade-old flaw in Spring's HttpInvokerServiceExporter enables unauthenticated RCE via Java deserialization. Severity, timeline, and remediation for CVE-2016-1000027.