jdk.serial filter is not working for restricting depth of treemap in java

Kumar Gaurav kumargauravgupta3 at gmail.com
Tue Jul 30 03:07:18 UTC 2019

Hi All,

I'm mailing here for the first time and I am unaware of any rules for
mailing here. If there is any mistake please let me know. Below is my

JEP 290  <https://openjdk.java.net/jeps/290>solves the problem of
deserialization vulnerabilities except some collection classes which
includes TreeMap and LinkedList.

Can we have any solution or any work around to counter that?

In our RMI interface we are accepting Objects which may have TreeMap and
since there's no check on the size of treemap it is vulnerable to DDos
Attack. We have solution for ArrayList, Hashmap etc, Can we have something
similar for TreeMap and LinkedList as well?


Kumar Gaurav

More information about the core-libs-dev mailing list