Safeguard
Tag

java-deserialization

Safeguard articles tagged "java-deserialization" — guides, analysis, and best practices for software supply chain and application security.

10 articles

Application Security

Java deserialization gadget chains explained

One 2015 talk and a tool called ysoserial turned ordinary Java libraries into remote code execution chains — here's how gadget chains work and how to stop them.

Jul 13, 20266 min read
Vulnerability Analysis

Apache Commons Collections deserialization gadget RCE (CVE-2015-7501)

A decade-old Apache Commons Collections deserialization gadget chain still enables unauthenticated RCE across legacy Java middleware. Here's how to find and fix it.

Jan 11, 20268 min read
Vulnerability Analysis

Jackson-databind gadget chain RCE (CVE-2019-12384)

CVE-2019-12384 lets attacker-controlled JSON trigger a jackson-databind gadget chain via Logback, turning polymorphic deserialization into remote code execution.

Dec 25, 20258 min read
Vulnerability Analysis

Apache Commons FileUpload RCE (CVE-2016-1000031)

CVE-2016-1000031 is a critical Apache Commons FileUpload deserialization RCE that still lurks in transitive Java dependencies years after its fix.

Dec 24, 20257 min read
Vulnerability Analysis

Apache Shiro remember-me cookie deserialization RCE (CVE-2016-4437)

Apache Shiro's default rememberMe cipher key enables unauthenticated Java deserialization RCE. Here's how CVE-2016-4437 works and how to fix it.

Dec 23, 20258 min read
Vulnerability Analysis

Java deserialization gadget chains explained

Java deserialization gadget chains turn trusted classpath libraries into RCE. Learn how they work, key CVEs like CVE-2015-4852, and how to detect them.

Dec 2, 20256 min read
DevSecOps

Jenkins CLI Java Deserialization Remote Code Execution (C...

CVE-2017-1000353 let attackers gain unauthenticated RCE on Jenkins via CLI Java deserialization. Here's the impact, timeline, and how to remediate it.

Nov 26, 20258 min read
Vulnerability Analysis

CVE-2019-12814: Jackson-databind polymorphic type gadget ...

A look at CVE-2019-12814, a jackson-databind polymorphic typing gadget tied to JAXB classes, its risk profile, and how to remediate it in modern Java stacks.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2019-14379: Jackson-databind deserialization via jdk....

CVE-2019-14379 lets attackers abuse jackson-databind's polymorphic deserialization via a JDK Nashorn gadget class. Here's the risk, fix, and detection guidance.

Sep 29, 20257 min read
Vulnerability Analysis

CVE-2016-1000027: Remote code execution via Spring HttpIn...

A decade-old flaw in Spring's HttpInvokerServiceExporter enables unauthenticated RCE via Java deserialization. Severity, timeline, and remediation for CVE-2016-1000027.

Sep 22, 20257 min read
java-deserialization — Safeguard Blog