diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
index 042d9b436fa..555d65d2257 100644
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -51,7 +51,14 @@ class SafeKryo extends DataFlow2::Configuration {
 predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
     m instanceof ObjectInputStreamReadObjectMethod and
-    sink = ma.getQualifier()
+    sink = ma.getQualifier() and
+    not exists(DataFlow::ExprNode node |
+      node.getExpr() = sink and
+      node
+          .getTypeBound()
+          .(RefType)
+          .hasQualifiedName("org.apache.commons.io.serialization", "ValidatingObjectInputStream")
+    )
     or
     m instanceof XMLDecoderReadObjectMethod and
     sink = ma.getQualifier()
diff --git a/java/ql/test/library-tests/UnsafeDeserialization/Test.java b/java/ql/test/library-tests/UnsafeDeserialization/Test.java
new file mode 100644
index 00000000000..bbc59f956cd
--- /dev/null
+++ b/java/ql/test/library-tests/UnsafeDeserialization/Test.java
@@ -0,0 +1,12 @@
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import org.apache.commons.io.serialization.ValidatingObjectInputStream;
+
+class Test {
+	public void test() throws IOException, ClassNotFoundException {
+		ObjectInputStream objectStream = new ObjectInputStream(null);
+		ObjectInputStream validating = new ValidatingObjectInputStream(null);
+		objectStream.readObject();
+		validating.readObject();
+	}
+}
diff --git a/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.expected b/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.expected
new file mode 100644
index 00000000000..3b02e3ebe1a
--- /dev/null
+++ b/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.expected
@@ -0,0 +1 @@
+| Test.java:9:3:9:27 | readObject(...) | ObjectInputStream |
diff --git a/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql b/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql
new file mode 100644
index 00000000000..9433eba7f7f
--- /dev/null
+++ b/java/ql/test/library-tests/UnsafeDeserialization/unsafeDeserialization.ql
@@ -0,0 +1,6 @@
+import default
+import semmle.code.java.security.UnsafeDeserialization
+
+from Method m, MethodAccess ma
+where ma.getMethod() = m and unsafeDeserialization(ma, _)
+select ma, m.getDeclaringType().getName()