The method java.net.URL#hashCode does a network lookup. Just one network lookup is not a problem, but I guess an endless loop of network lookups, with a 2 KB serialized file.
To make it do an endless loop of network lookups, the URL is be placed in a ArrayList which is placed in another ArrayList which is placed in a HashMap as the key, such that the hashCode method is called in a virtually endless loop. And the URL string is specially crafted such that the hashCode is -1, so that the hashCode is not cached.
Blacklisting java.net.URL will not solve the 100% CPU endless loop problem by the way.