For credits: the recent report about a deserialization gadget chain starting at TrieMap.readObject was submitted by Qianheng Wang (Fudan University, https://github.com/qhwang996). It prompted us to publish the new documentation page. Thank you for the detailed report (including reproduction code) and for following our reporting guidelines.
3 Likes