Unrestricted deserializing from a privileged context allows an attacker to supply crafted input which, upon deserialization, can yield objects that the attacker does not have permissions to construct. One example of this is the construction of a sensitive object, such as a custom class loader. (See guidelines SEC12-J. Do not grant untrusted code access to classes in inaccessible packages and SEC13-J. Do not allow unauthorized construction of classes in forbidden inaccessible packages.)
Noncompliant Code Example
...