Keda

**Name of the Vulnerable Software and Affected Versions** Java (affected versions not specified) **Description** Two issues exist regarding Java deserialization filters. First, a filter bypass occurs when a serialized stream contains a `TC PROXYCLASSDESC` marker for a `java.lang.reflect.Proxy`. In this case, `ObjectInputStream.readProxyDesc()` is dispatched, and the default `ObjectInputStream.resolveProxyClass(interfaces)` implementation is called. This process performs `Class.forName(intf, false, latestUserDefinedLoader())` for each interface name to construct the proxy class, which bypasses the accepted classes list. Second, deserializing a stream that names any class on the allow-list triggers that class's static initializer (`<clinit>`) before any instance is constructed. This allows an attacker to trigger side-effecting static initializers by supplying a class name that matches the allow-list patterns. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.