A Java deserialization vulnerability occurs when a Java application deserializes untrusted data and is a seldom-mentioned yet massive Application Security issue.
During the deserialization process, the data is transformed from its stream of bytes (binary representation) into an object that the application can use.
This process is made possible by the Apache Commons Collection library. The name of the class that’s responsible for the transformation is InvokerTransformer.
https://waratek.com/blog/java-deseriali ... erability/