Object deserialization is the cause of some of the most serious vulnerabilities in Java. Object deserialization is baked into the language and has been available since version 1. Many libraries and frameworks use it to copy state and other data across JVMs. As a result, it’s unlikely ever to be removed from Java. Most ‘fixes’ to known vulnerabilities are little more than simple allow / block listing and new bypasses for previous fixes are discovered all the time.
Many techniques for exploiting deserialization vulnerabilities rely on code present in third party libraries and do not require any specific first party application code.