...
Vulnerability CVE-2008-5339 concerns a series of vulnerabilities in Java. In one of the vulnerabilities, an applet causes an object is to be deserialized using ObjectInputStream.readObject(), but the input is controlled by an attacker. The object actually read in is a serializable subclass of ClassLoader, and it has a readObject() method that stashes the object instance into a static variable; consequently the object survives the serialization. As a result, the applet has managed to construct a ClassLoader object, by-passing the restrictions against doing so in an applet, and that ClassLoader allows it to construct classes that are not subject to the security restrictions of an applet. The vulnerability is described in depth in SER37-J. Do not deserialize from a privileged context.
...