Primary fix — never deserialize untrusted data:
If you need to pass data between services, use a data-only format: JSON, XML, or Protocol Buffers. These formats hold data, not objects — they cannot trigger magic methods or gadget chains.
If deserialization is unavoidable:
Implement an allowlist of classes that are permitted to be deserialized
Sign serialized objects — verify the signature before deserializing
Run deserialization in a sandboxed process with no filesystem or network access
Monitor for deserialization errors — they indicate attack attempts
Notable CVEs:
CVE-2015-4852 — Apache Commons Collections, CVSS 9.8, arbitrary RCE
CVE-2016-4437 — Apache Shiro deserialization, authentication bypass
CVE-2019-7609 — Kibana deserialization, RCE via prototype pollution
CVE-2021-44228 — Log4Shell, JNDI injection triggered during deserialization of log data
2020 — Telerik UI: A deserialization vulnerability in Telerik UI for ASP.NET AJAX was exploited in attacks against US government agencies. Attackers sent crafted serialized objects through the file upload interface. Arbitrary code ran on government servers. The vulnerability had been public for years — patching had not been applied.