It is not unusual for Java code to deserialize data that comes from an untrusted source. A serializable class can overload the method readObject(), which is called when an object of that class is being deserialized. This method (as well as similar methods such as readResolve and readObjectNoData) should treat the serialized data as potentially malicious, and it should not perform dangerous operations, nor should it set the stage for such operations to be performed later in the deserialization process. For example, simply deserializing data should never invoke the method Runtime.exec().
...