...
This compliant solution creates a defensive copy of the mutable date object in the readObject() method. Note the use of field-by-field input and validation of incoming fields (see guideline rule void SER04-J. Validate deserialized objects for additional information). Additionally, note that this compliant solution is insufficient to protect sensitive data (see guideline rule SER03-J. Do not serialize unencrypted, sensitive data for additional information).
...
Search for vulnerabilities resulting from the violation of this guideline rule on the CERT website.
Bibliography
...