Skip to content
Native Java serialization filter blacklist for common gadgets
Branch: master
Clone or download
Latest commit 1b9a51c Sep 12, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information. Updating Sep 12, 2019 Initial commit Sep 7, 2019

JEP 290 blacklist filter policies

This repository contains different black lists for classes that are used in publicly known Java deserialization gadget chains. It can be used with the pattern-based serialization filter from Java 9. This functionallity was also backported to older Java versions:

  • Java 8 - 8u121
  • Java 7 - 7u131
  • Java 6 - 6u141


The easiest way to use this list is to set the filter policy during application startup. This sets the global filter policy for all ObjectInputStream instances of the application, without changeing the actual code.


java -jar application.jar 

It is also possible to use the policy in a custom filter, please see the official Java documentation.


This policy does not provide any ressource limit filters which help to protect your application against potential Denial of Service (DoS) attacks. Use this policy on your own risk.


You can’t perform that action at this time.