https://www.nsec.io/2016/01/the-new-wave-of-deserialization-bugs/

Recently, there have been several deserialization bugs released. In 2015, many Java softwares – including WebLogic, Jenkins and JBoss – were found vulnerable because of a common bug pattern. This talk will present the risk associated with deserialization mechanism and how it can be exploited. While a fix is available for some of the known vulnerable applications, your enterprise might be maintaining a proprietary application that is at risk. A tool will be presented to identify the vulnerable pattern. This vulnerability can be applied to any languages. Other examples will be given for PHP and Python.