Unrestricted deserializing from a privileged context allows an attacker to supply crafted input which upon deserialization, can yield objects that the attacker does not have permissions to construct. Construction of a custom class loader is one example (See SEC07-J. Do not grant access to existing classes or allow the unauthorized construction of new classes classes that exist in forbidden packages).
Noncompliant Code Example
...