Deserialization from an untrusted source using the XMLDecoder library can lead to unexpected code execution. For example, it has led in the past to the following vulnerability:

XMLDecoder supports arbitrary method invocation. This capability is intended to call setter methods only but nothing prevents the execution of any other method.

This rule raises an issue when XMLDecoder is instantiated. The call to "readObject" is also highlighted to show where the malicious code can be executed.

Ask Yourself Whether

(*) You are at risk if you answered yes to this question.

Recommended Secure Coding Practices

If you only need a simple deserialization, use instead one of the deserialization libraries recommended by OWASP.

If you really need to use XMLDecoder, make sure that the serialized data cannot be tampered with.

Sensitive Code Example

public void decode(InputStream in) {
  XMLDecoder d = new XMLDecoder(in); // Sensitive
  Object result = d.readObject();
  [...]
  d.close();
}

See