ObjectInputStream.readObject (Java)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Java native deserialization via ObjectInputStream.readObject can trigger gadget chains that run code during deserialization. Avoid it on untrusted streams; prefer a data format like JSON.
Why it matters
Java native deserialization via ObjectInputStream.readObject reconstructs objects from the stream and can trigger gadget chains in libraries on the classpath, running code during deserialization. This is a well-known remote code execution class when the stream is untrusted.
How to fix it
Avoid Java serialization for data that crosses a trust boundary; use JSON with a library such as Jackson bound to specific types. If you must keep ObjectInputStream, add a strict resolveClass allowlist (an ObjectInputFilter) that permits only the classes you expect. Never readObject directly from a network or user-supplied stream.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo