The serialization and deserialization features can be exploited to bypass security manager checks. A serializable class may employ install security manager checks in its constructors for various reasons. For example, the checks prevent untrusted code from modifying the internal state of the class.
...