11/*
2- * Copyright 2002-2019 the original author or authors.
2+ * Copyright 2002-2022 the original author or authors.
33 *
44 * Licensed under the Apache License, Version 2.0 (the "License");
55 * you may not use this file except in compliance with the License.
2525import org .springframework .lang .Nullable ;
2626
2727/**
28- * Static utilities for serialization and deserialization.
28+ * Static utilities for serialization and deserialization using
29+ * <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/serialization/"
30+ * target="_blank">Java Object Serialization</a>.
31+ *
32+ * <p><strong>WARNING</strong>: These utilities should be used with caution. See
33+ * <a href="https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"
34+ * target="_blank">Secure Coding Guidelines for the Java Programming Language</a>
35+ * for details.
2936 *
3037 * @author Dave Syer
38+ * @author Loïc Ledoyen
39+ * @author Sam Brannen
3140 * @since 3.0.5
3241 */
3342public abstract class SerializationUtils {
@@ -55,6 +64,12 @@ public static byte[] serialize(@Nullable Object object) {
5564
5665 /**
5766 * Deserialize the byte array into an object.
67+ * <p><strong>WARNING</strong>: This utility will be deprecated in Spring
68+ * Framework 6.0 since it uses Java Object Serialization, which allows arbitrary
69+ * code to be run and is known for being the source of many Remote Code Execution
70+ * (RCE) vulnerabilities. Prefer the use of an external tool (that serializes
71+ * to JSON, XML, or any other format) which is regularly checked and updated
72+ * for not allowing RCE.
5873 * @param bytes a serialized object
5974 * @return the result of deserializing the bytes
6075 */
0 commit comments