The following is an interesting slide: https://speakerdeck.com/pwntester/surviving-the-java-deserialization-apocalypse?slide=31
Oracle has stated they will not fix these security issues with Collection classes for de-serialization.
River-49 also identifies serial form issues with Collections. https://issues.apache.org/jira/projects/RIVER/issues/RIVER-49?filter=allopenissues Cheers, Peter.