...
This noncompliant code example describes a security vulnerability from JDK 5.0 software. At the time, java.io.File was non-final, allowing an attacker to supply an untrusted value as a parameter which was constructed by extending the legit legitimate java.io.File class. In this way, the getPath() method could be overridden so that the security check passes the first time it is called but the value mutates the second time to refer to a sensitive file such as /etc/passwd. This is a time-of-check-time-of-use (TOCTOU) vulnerability.
...