[jira] [Comment Edited] (LANG-1734) Deprecate/replace SerializationUtils.deserialize

Mon, 15 Dec 2025 07:18:13 -0800 


    [ 
https://issues.apache.org/jira/browse/LANG-1734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18045196#comment-18045196
 ] 

Gary D. Gregory edited comment on LANG-1734 at 12/15/25 3:17 PM:
-----------------------------------------------------------------

Since our security model documents the expectation of trusted input to our 
methods, I updated the Javadoc to document a safer deserialization option in 
Javadoc for SerializationUtils, namely Commons IO's 
{{{}[ValidatingObjectInputStream|https://commons.apache.org/proper/commons-io/apidocs/org/apache/commons/io/serialization/ValidatingObjectInputStream.html]{}}}.


was (Author: garydgregory):
I updated the javadoc to Document a safer deserialization option in Javadoc for 
SerializationUtils.



> Deprecate/replace SerializationUtils.deserialize
> ------------------------------------------------
>
>                 Key: LANG-1734
>                 URL: https://issues.apache.org/jira/browse/LANG-1734
>             Project: Commons Lang
>          Issue Type: Task
>          Components: lang.*
>            Reporter: Arnout Engelen
>            Priority: Minor
>             Fix For: 3.20.1
>
>
> SerializationUtils.deserialize should never be used with untrusted input: it 
> is generally not possible to prove the absence of classes on the classpath 
> that can be used as 'gadgets' for deserialization attacks.
> When SerializationUtils.deserialize was introduced, Java serialization was 
> still 'in vogue' and the JDK APIs for deserialization were awkward to use. 
> Nowadays, other serialization mechanisms (and serialization proxies) are more 
> popular, and the Java APIs have gotten much better, so there isn't much 
> reason for "SerializationUtils.deserialize" anymore.
> For these reasons, it might be good to deprecate 
> SerializationUtils.deserialize, or at least more clearly mark it as not 
> suitable to be used with untrusted input. We might also want to replace it 
> with variants that encourage allow/denylisting or other security filters, or 
> recommend 
> [https://docs.oracle.com/en/java/javase/11/core/serialization-filtering1.html]
>  for that.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to