Jep415 on Devops Monk

Jep415 on Devops Monkhttps://devops-monk.com/tags/jep415/Recent content in Jep415 on Devops MonkHugoen-usMon, 04 May 2026 00:00:00 +0000Context-Specific Deserialization Filters (JEP 415): Securing Java Deserializationhttps://devops-monk.com/tutorials/java17/deserialization-filters/Mon, 04 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/java17/deserialization-filters/Finalized in Java 17 (JEP 415). Extends JEP 290 (Java 9), which introduced the basic deserialization filter API. Why Deserialization Is Dangerous Java object deserialization (ObjectInputStream.readObject()) is one of the most exploited attack surfaces in Java. When a Java application deserializes untrusted bytes, the JVM instantiates arbitrary classes and calls their methods as a side effect — before your application code even sees the result. Attackers craft gadget chains: sequences of serializable classes in common libraries (Apache Commons Collections, Spring Framework, etc.