Skip to content
Native Java serialization filter blacklist for common gadgets
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

JEP 290 blacklist filter policies

This repository contains different black lists for classes that are used in publicly known Java deserialization gadget chains. It can be used with the pattern-based serialization filter from Java 9. This functionallity was also backported to older Java versions:

  • Java 8 - 8u121
  • Java 7 - 7u131
  • Java 6 - 6u141


The easiest way to use this list is to set the filter policy during application startup. This sets the global filter policy for all ObjectInputStream instances of the application, without changeing the actual code.


java -jar application.jar 

It is also possible to use the policy in a custom filter, please see the official Java documentation.


This policy does not provide any ressource limit filters which help to protect your application against potential Denial of Service (DoS) attacks. Use this policy on your own risk.


You can’t perform that action at this time.