Deserializing user input via the `Serializable` API is extremely dangerous


The problem

The Java Serializable API is very powerful, and very dangerous. Any consumption of a serialized object that cannot be explicitly trusted will likely result in a critical remote code execution bug that will give an attacker control of the application. (See Effective Java 3rd Edition ยง85)

Consider using less powerful serialization methods, such as JSON or XML.


Suppress false positives by adding the suppression annotation @SuppressWarnings("BanSerializableRead") to the enclosing element.